Help
Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

Nik
New Contributor II

Created on ‎06-17-2021 03:08 AM

SSL-VPN with split tunneling mode

Hi,

I just want to know what other thinks about this setup.

I have a client with ssl-vpn enabled on their network, and they are using ssl-vpn tunnel mode with split tunneling enabled but there is no routing address specified. Furthermore they are using a policy route which sends all the traffic coming from the ssl-vpn tunnel interface (ssl.root) to a specific destination on the internet. Then they have different policys which regulates the traffic from the sslvpn users toward different subnets behind the fortigate. A very wierd setup for my eyes! Should they specify the routing address if they want to reach the subnets behind the fortigate (specified in the policys also)? In that case how is it possible for them to reach those subnets behind the fortigate if there is no routing address specified. This is making my head spinning now!!
Labels:
475
0 Kudos
3 REPLIES 3
NilaSark
New Contributor II

Created on ‎06-21-2021 07:24 AM

Hi 
 
Can you please share the output of :

config vpn ssl web portal
show full-configuation | grep split
459
0 Kudos
Nik
New Contributor II
In response to NilaSark

Created on ‎06-23-2021 01:52 AM

Hi Niladri,

# show full-configuration | grep split
set split-tunneling enable
set split-tunneling-routing-negate disable
set ipv6-split-tunneling enable
set ipv6-split-tunneling-routing-negate disable
set split-tunneling enable
set split-tunneling-routing-negate disable
set ipv6-split-tunneling enable
set ipv6-split-tunneling-routing-negate disable
set split-tunneling enable
set split-tunneling-routing-negate disable
config split-dns
459
0 Kudos
NilaSark
New Contributor II
In response to Nik

Created on ‎06-23-2021 02:13 AM

Hello Fisnik,

From what I understand for the information provided is that you might be trying to add FQDNs to be a part of the split tunnel. Now FQDNs are not supported by SSL VPN split tunnel routing address. SO to achieve this we use firewall policies. Please find the relevant KB here : https://kb.fortinet.com/kb/documentLink.do?externalID=FD46248
459
0 Kudos
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.