Technical Tip: Address Objects with ‘Interface-Subnet’ Address Type Cannot be added under IPv4 Split Tunnel Configuration for Remote Access VPN

FortiGate GUI prevents adding an address or address group configured with the Interface Subnet address type under the IPv4 split tunnel option in a dial-up IPsec VPN. When attempted, the following errors appear:

Address/Address group configuration:

CLI:

config firewall address

    edit "port1"

        set type interface-subnet

        set subnet 10.126.245.0 255.255.255.248

        set interface "port1"

    next

end

config firewall addrgrp

    edit "port1-test"

        set member "port1"

    next

end

GUI:

Error: 'Invalid address selected': occurs when adding an address object configured with ‘Interface-Subnet’ Address type.

Error: 'Invalid address group selected': occurs when adding an address group configured with ‘Interface-Subnet’ Address type.

This behavior is limited to the GUI. The same configuration can be entered successfully through the CLI, although the GUI will still display the error messages.

This issue has been resolved in:

• v7.6.5 (available to download from the Fortinet support portal).
• v8.0.0 (scheduled to be released in March 2026).

These timelines for firmware release are estimates and may be subject to change.

Workaround:
Create a new address object for the same subnet using the ‘any’ interface type, and then add this address object to the IPv4 split tunnel configuration.
CLI:

config firewall address

    edit "Split-Subnet"

       set subnet 10.126.245.0 255.255.255.248

    next

end

config vpn ipsec phase1-interface
    edit RA-VPN
       set ipv4-split-include Split-Subnet
    next
end

GUI: