Skip to main content
shocko
shocko
Explorer III
April 23, 2024
Solved

Split Tunnel with SSL VPN and Local Resource Access Prevention

  • April 23, 2024
  • 2 replies
  • 4859 views

We are using Forticlient EMS 7.2.3 and 7.2.3 and split-tunnel for certain traffic (MS Teams for example). To prevent accessing local services (NAS box for example) we enabled exclusive routing on our Fortigate 7.0.0 as per Enabling SSL VPN Full Tunnel - Fortinet Community. However, we can still access local resources/services. 

Best answer by pminarik

 

Given that "exclusive-routing" is available as an option only when full-tunnel is enabled ("set split-tunneling disable", I would question whether these two options are compatible at all.

 

AFAIK app-based split-tunnel is a local routing decision made by FCT (and configured by EMS), so there's a chance that this completely overrides any routing directives received from FGT.

 

edit: Yes, this is as designed. App-based split-routing disables exclusive-routing. Confirmed internally.

 

edit 2: The community article you referenced is now updated with a note about the incompatibility.

 

edit 3: There is a FortiClient/EMS-specific option to disable local LAN access - <enable_local_lan>, which should work with app-based split routingXML docs reference: https://docs.fortinet.com/document/forticlient/7.2.4/xml-reference-guide/858086/ssl-vpn

2 replies

pminarik
Staff
pminarikAnswer
Staff
April 23, 2024

 

Given that "exclusive-routing" is available as an option only when full-tunnel is enabled ("set split-tunneling disable", I would question whether these two options are compatible at all.

 

AFAIK app-based split-tunnel is a local routing decision made by FCT (and configured by EMS), so there's a chance that this completely overrides any routing directives received from FGT.

 

edit: Yes, this is as designed. App-based split-routing disables exclusive-routing. Confirmed internally.

 

edit 2: The community article you referenced is now updated with a note about the incompatibility.

 

edit 3: There is a FortiClient/EMS-specific option to disable local LAN access - <enable_local_lan>, which should work with app-based split routingXML docs reference: https://docs.fortinet.com/document/forticlient/7.2.4/xml-reference-guide/858086/ssl-vpn

    shocko
    shockoAuthor
    Explorer III
    April 30, 2024

    Thanks for the feedback @pminarik .I have verified this is the case via testing. This seems like quite a big deal to me and something without an alternative workaround. I think most users of any modern VPN solution will want split-tunnel capabilty for things like MS Teams but it seems that unless we use the Domain/FQDN option for same (which is not scalable/maintainable for cloud sevrices in my opinion) we intoruced a huge security hole where local service access is available? Is there any option to block local service access with Web Filter or Application firewall within the EMS suite?

    pminarik
    Staff
    pminarik
    Staff
    April 30, 2024

    Unfortunately the FGT-imposed setting and the EMS-imposed setting are incompatible in this case. You would need some option from EMS to force this. And now that I thought of that, what about enable_local_lan = 0? Have you tried it?

     

    XML docs reference: https://docs.fortinet.com/document/forticlient/7.2.4/xml-reference-guide/858086/ssl-vpn

      shocko
      shockoAuthor
      Explorer III
      May 1, 2024

      Thanks @pminarik . I'll go an test this and revert. 

      Terms & ConditionsAccessibility statement