Skip to main content
jayuk76
jayuk76
New Member
May 20, 2020
Question

SSL-VPN - Can we do this?

  • May 20, 2020
  • 2 replies
  • 6337 views

Hi

 

We are using the SSL VPN in split tunnel mode

 

So when we are connected all web traffic goes out locally and also company traffic goes through the tunnel.

 

But we want to allow a handful of websites (URLs) to go through the VPN as they are whitelisted.

 

If we could do it based on groups even better but not essential. we do use LDAP integration

 

what is the easiest way to do this?

 

any help is greatly appreciated

 

Jay

 

 

 

 

    2 replies

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 20, 2020

    We had the same request from one of our customers. But we found out FQDN addresses are not configuratble for the split tunnel. If you know the IP of the FQDN(host name part of URL) doesn't change, you can add them to the routing-address at the portal, which we did.

    I think the reason FQDN is not allowed is because once split tunnel is set up when the client got connected, it can't be changed during the tunnel is up even when the address is changed dynamically.

    Markus
    Markus
    New Member
    May 20, 2020
    For selective tunnel check [link]https://forum.fortinet.com/m/tm.aspx?m=186161[/link] @toshi with 6.0.9 I was able to route fqdn to split tunnel. Best
    Markus
    Markus
    New Member
    May 20, 2020
    For selective tunnel check [link]https://forum.fortinet.com/tm.aspx?tree=true&m=186157&mpage=1[/link] @Toshi with 6.0.9 I was able to route FQDN to split tunnel. Best
    emnoc
    emnoc
    New Member
    May 21, 2020

    I highly doubt you could do that without  slectively push routes in the split-tunnel, but you could enable explicit proxy and set the machines to use the fortigate as a proxy, why do you want split-tunnel and then route whitelisted URL thru the firewall? I don't see the logic in that request.

     

    If your concern on web-filter for the end-users , deploy a full forticlient and control the end-point would be better regardless if he/she is on the vpn or not, IMHO. Here you can use the FC off-net and with all of the filteroptions with EMS endpoints.

     

    Ken Felix

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 22, 2020

    For our customer's case, they had to use one NAT source IP for all users to access some specific Internet services/applications wherever each user might be located.

    Toshi_Esumi
    SuperUser
    Toshi_Esumi
    SuperUser
    May 22, 2020

    I was wrong. I just saw in another thread how to do this in GUI. I haven't tested it myself yet but since it's in KB, it should work.

    https://kb.fortinet.com/kb/documentLink.do?externalID=FD46248

    Basically, don't configure anything at portal, but configure all addresses including FQDN ones in the policy.

    Terms & ConditionsAccessibility statement