Skip to main content
michel_makhoul
michel_makhoul
New Member
November 21, 2025
Question

ZTNA Off-Fabric user blocking internet

  • November 21, 2025
  • 4 replies
  • 605 views

hello

 

kindly we need your assistance in checking the problem, we have an endpoint which is connected to Forticlient ems an when off-fabric, we need to block the user from having local internet access and for all the traffic to reach the internal network only through a configured ipsec tunnel. the issue is that when connected to vpn i have 2 default route, the vpn with lower metric, but on windows he will do automatic check when seeing the internet is dow and then he is using the local default route with the higher metric. i need to totally block the internet for the off-net user. how we can achieve this and intend to have a permanent and stable solution.

 

to note that the webfilter is enabled and all categories are set to block

4 replies

funkylicious
SuperUser
funkylicious
SuperUser
November 22, 2025

always on VPN might be worth a try for the VPN connection

"jack of all trades, master of none"
AEK
SuperUser
AEK
SuperUser
November 23, 2025

I didn't notice this issue in Windows and I don't know if it is an isolated issue.

"As a workaround" you may push the list of public ranges instead of default public addresses.

This should work since those routes are more specific than default route.

 

I hope this list is correct:

1.0.0.0-9.255.255.255
11.0.0.0-100.63.255.255
100.128.0.0-126.255.255.255
128.0.0.0-169.253.255.255
169.255.0.0-172.15.255.255
172.32.0.0-191.255.255.255
192.0.1.0/24
192.0.3.0-192.88.98.255
192.88.100.0-192.167.255.255
192.169.0.0-198.17.255.255
198.20.0.0-198.51.99.255
198.51.101.0-203.0.112.255
203.0.114.0-223.255.255.255

 

AEK
ede_pfau
SuperUser
ede_pfau
SuperUser
November 23, 2025

hi,

 

as this is about the default route (0.0.0.0/0), the PC needs a second default route not as attractive as the VPN but still more attractive as the local LAN router. And that would be a blackhole route, discarding all traffic.

Example:

the default route on the PC is

route print -4

destination   mask       gateway     interface   metric

-> 0.0.0.0     0.0.0.0     192.168.178.1   192.168.178.20 26

 

and if the VPN is up, Forticlient insert a second "better" default route to the gateway behind the VPN, like so:

-> 0.0.0.0     0.0.0.0     192.168.178.1   192.168.178.20 26

-> 0.0.0.0     0.0.0.0     10.10.17.1   10.10.17.2 15

 

Here, as the metric "15" is less than 26, as long as the VPN is up, ALL traffic will flow towards the VPN.

Now, in Forticlient, try to insert a blackhole route:

dest = 0.0.0.0

mask = 0.0.0.0

type = blackhole (so no gateway IP is needed)

metric = 20  (between 15 and 26)

 

Now, if this is installed, while the VPN is up, the VPN default route with metric 15 will be followed. With VPN down, the next best, namely the bh route, will be followed, discarding all traffic.

 

I would suggest you give it a try. Due to lack of Forticlient here I cannot test this. The crucial part is whether you can insert a blackhole route or not.

sagaruto2
sagaruto2
New Member
November 23, 2025

Have a good vacation :)
After open the port with port forwarding to EMS fqdn from external connection, now it is working. But on local connection these requests blocked by "Implicit Deny".

Terms & ConditionsAccessibility statement