Route specific public domain for SSL VPN split tunnel

Forum|Forum|4 years ago
August 30, 2021
2 replies
7104 views

Is there any possible to route the public domain for example abc.com going via firewall outgoing interface? For example SSL VPN user trying to access xyz.abc.com, then fortigate will redirect the traffic via outgoing interface, else other traffic will exit SSL VPN users default gateway.

lobstercreed

New Member

Of course, you just have to include that in the split tunnel routing the same way you would for other LAN traffic. In our particular case, I leave the split tunnel config blank and let the firewall build the split tunnel list by what policies are allowed. If you do this the same, you simply need a policy to that destination with the appropriate users going from the ssl.root to the wan. You can add more destinations as needed.

vovochka83Author

New Member

what if some domains using dynamic public ip addresss with load balancer? for example nslookup xyz.aabbcc.com, will resolved 2 ip addresses 10.10.10.10, 20.20.20.20, and then after few hours change it to 30.30.30.30 and 40.40.40.40. I can't keep monitoring the ip address and add it into fortigate firewall right?

lobstercreed

New Member

Why not use an FQDN address object so that it keeps up with those changes dynamically? I assumed that's what you intended to do in the first place.

iincitr

New Member

Hi

did you solve the issue?

I am looking for a solution.

Thank you

JonasV

Explorer

I’ve been trying to solve the same issue, however what I’ve encountered (even with a FQDN objekt) only the first IP that the FortiOS resolves is passed to the FortiClients = to the PC’s local routing table. Viewing the routing table of a PC with the CMD command: Route PRINT, will also only list one. At this point I think it’s a limitation of the “tunnel-VPN”.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded