Skip to main content
MDIT
MDIT
New Member
July 7, 2020
Question

SSL VPN Split Tunnel - Send Some Internet Traffic to FortiGate

  • July 7, 2020
  • 1 reply
  • 6880 views

FortiOS 6.0.9 on a cluster of 300Es.

 

SSL VPN configured and being used by staff working remotely.  Everything works great.  Users have FortiClient installed and we have EMS server managing that side of things as well.

 

We have some internet-based applications which we use, which are IP-restricted, so the users have to access them via our internal internet breakout.  With the VPN, all internet traffic is egressing locally to the user, so the IPs are not whitelisted (nor do we want them to be), so users are having to log into Citrix to access the web applications from inside the business.

 

Is there a way to force traffic to certain internet IPs to traverse the tunnel and therefore breakout in the office rather than the users internet?

    1 reply

    Markus
    Markus
    New Member
    July 7, 2020

    Yes, this is easy to achieve... Check https://docs.fortinet.com...tunnel-for-remote-user

    it's for 6.2, but also good for 6.0.9

    if you need for different user or profiles (split/no split), also see https://forum.fortinet.com/tm.aspx?tree=true&m=186161&mpage=1

    sw2090
    SuperUser
    sw2090
    SuperUser
    July 7, 2020

    hm that would require your client to get a route for this service pushed. Otherwise that traffic will use the default route.

    The problem is that if the service uses an FQDN it may have more than one ip (and not all in the same subnet mostly) so you would need to find all of them and push a route for them.

    The only other way I see is to disable split tunneling at all to have all traffic go over the vpn.

    That is if it is limited to your WAN IP(s). We have one servie that is but that's only used from within the shops.

     

    If there is services limited to your company subnet you could do SNAT with e.g. an ip pool.

     

    Markus
    Markus
    New Member
    July 8, 2020

    Good point, I had the same problem with some Azure (also FQDN) services (whitelist from Pat IP). I then create a FQDN address object and put this in the split tunnel address group. This is working for me (FG501E with FOS 6.0.9).

    Terms & ConditionsAccessibility statement