Technical Tip: Disable local network access when split tunnel is disabled
Description
This article describes how to disable local network access for SSL VPN while split tunnelling is disabled.
Solution
This feature for SSL-VPN can be set up to control local LAN traffic, in order to forward it all to the FortiGate.
Enable exclusive-routing via CLI inside the preferred portal, full-access in this example:
# config vpn ssl web portal
edit full-access
set exclusive-routing enable
next
end
Here there is an example of the feature that works with FortiClient.
Windows network setting :
- Local LAN 192.168.100.19/21.
- SSL VPN address 10.212.134.200.
Test:
Ping from Windows machine to 8.8.8.8.
Ping from Windows machine to 8.8.8.8.
Sniffer packet on remote FortiGate.
Ping from Windows machine to 192.168.100.41 (internal LAN).
Sniffer packet on remote FortiGate.
In this example, the packets are not responded to due to a missing policy to allow the ICMP traffic.
To use 'set exclusive-routing enable' with FortiOS 6.4 FortiClient 6.4.2 is needed at least.
Related Articles