Skip to main content
GersonLestrange
GersonLestrange
Explorer II
June 9, 2022
Solved

SSL VPN FQDN

  • June 9, 2022
  • 3 replies
  • 8623 views

Keeping Split Tunneling routing address blank in SSL-VPN portal. be able to use FQDN addresses

so my collaborator's internet goes out through fortigate, or through the internet from his own home?

 

Leaving Split Tunning blank, when checking the IP that the Client is going out to the internet, it is the Company's IP. Is internet traffic going all the way through Fortigate?

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Access-to-Specific-FQDN-using-Split-Tunnel-SSL-VPN/ta-p/190062?externalID=FD46248

Best answer by pminarik

When the split-route list is left empty, the FortiGate is supposed to automatically generate a list of routes based on the destination address objects in relevant SSL-VPN firewall policies. (I am not sure if it accepts all types of address objects, e.g. IP ranges)

3 replies

Toshi_Esumi
SuperUser
Toshi_Esumi
SuperUser
June 9, 2022

Not sure it's your statement or question. Checking IP like "What is my IP" at Google doesn't prove the FQDN is working because the test's destination is Google, not the FQDN. You need to traceroute to the FQDN using the same DNS server your FGT is using.

Or just check the routing table at your client machine described in the KB.

 

Toshi

    GersonLestrange
    GersonLestrangeAuthor
    Explorer II
    June 9, 2022

    Let me clarify better.

    When I'm using Split Tunning in White, if I make a query of my Internet IP, it shows me the IP of the company's wan.

    GersonLestrange_0-1654753932043.png

     

    When I'm using Split Tunning with addresses in the Routing Address, if I make a query of my Internet IP it shows me the IP of my carrier's wan at home.

    GersonLestrange_1-1654754009030.png

     

    sw2090
    SuperUser
    sw2090
    SuperUser
    June 9, 2022

    I am wondering why FortiOS even allows that setting as it is completely useless to enable split tunneling without setting anything then.

    However it seems to thread that as if it were disabled. 

    That means with split tunneling on with no setting (or disabled) all traffic will go through the vpn because it will modify your default route.

    If you enable split tunneling and set some subnet in there it will not touch your default route but push a route the subnets you specified there.

    For that it does not matter wether you use a fqdn or an ip as remote gateway.

      pminarik
      Staff
      pminarikAnswer
      Staff
      June 9, 2022

      When the split-route list is left empty, the FortiGate is supposed to automatically generate a list of routes based on the destination address objects in relevant SSL-VPN firewall policies. (I am not sure if it accepts all types of address objects, e.g. IP ranges)

        Toshi_Esumi
        SuperUser
        Toshi_Esumi
        SuperUser
        June 9, 2022

        I agree to pminarik. Because we use it for one of our customers. You probably didn't set the SSL-VPN policy correctly. Read the KB again or show us how the policy looks like.

         

        Toshi

          GersonLestrange
          GersonLestrangeAuthor
          Explorer II
          June 10, 2022

          Staff is just that.

          When Split Tunning is enabled and is blank. VPN traffic will only be directed to the addresses in the Fortigate VPN Rule.

          Any other access that is not in the rule will go through the user's internet.

          It adds a 0.0.0.0 route to my interface.
          And other routes to the addresses set in the VPN Rule in Fortigate.

          The article is perfect.. I did all the simulations and it served the purpose to keep Split Tunning blank.

           

          https://community.fortinet.com/t5/FortiGate/Technical-Tip-Access-to-Specific-FQDN-using-Split-Tunnel-SSL-VPN/ta-p/190062?externalID=FD46248 

          Terms & ConditionsAccessibility statement