Skip to main content
RaulC
RaulC
New Member
December 14, 2021
Question

Routing negate cannot be enabled with "all" in destination policy

  • December 14, 2021
  • 2 replies
  • 3748 views

We were using split tunneling with split-tunneling-routing-negate enable and all was well, we had routes negated (set to local client default) with the default route set to the VPN address for all other traffic.

 

We turned off split tunneling in the process of troubleshooting another issue and it will not allow me to enable it again:

 

Firewall01 (split-tunnel) # set split-tunneling enable
Could not enable split tunneling, as policy 88 has "all"
as destination address.
node_check_object fail! for split-tunneling enable

value parse error before 'enable'
Command fail. Return code -2008

 

This is probably because the firewall creates the routes based on the policies, and "all" would make a default route which makes sense if you are not using "routing-negate" but in our case that is exactly what we want.

 

The only difference is we did update firmware in the firewall to 6.4.7 in the time between initially enabling and now.  Is this a problem in this version?  How can I get split-tunneling-routing-negate enabled again?

2 replies

Jason_Guo
Jason_Guo
New Member
December 15, 2021

Hi RauIC,

    I think policy 88 should be a policy related to SSL VPN. According to the error msg, the dest address of policy 88 use all. You can modify the dest address of policy 88 to a specific detailed address, and then enable split-tunneling.

RaulC
RaulCAuthor
New Member
December 15, 2021

Found my issue, when I disabled "Split Tunneling" in the UI it set "split-tunneling disable" in the config, I had to:

 

unset split-tunneling

 

Then:

set split-tunneling-routing-negate enable

 

I was trying to "set split-tunneling enable" which doesnt work.  Thank FortiCloud for backup retention, I was able to just look at the old config.

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
December 16, 2021

That's counter-intuitive. With that setting (no setting), does the default route get injected into the client machine's routing-table (Win "route print")? I haven't used it so I want to know.

 

Toshi

Terms & ConditionsAccessibility statement