Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

Nik
New Contributor II

SSL-VPN with split tunneling mode

Hi,

I just want to know what other thinks about this setup.

I have a client with ssl-vpn enabled on their network, and they are using ssl-vpn tunnel mode with split tunneling enabled but there is no routing address specified. Furthermore they are using a policy route which sends all the traffic coming from the ssl-vpn tunnel interface (ssl.root) to a specific destination on the internet. Then they have different policys which regulates the traffic from the sslvpn users toward different subnets behind the fortigate. A very wierd setup for my eyes! Should they specify the routing address if they want to reach the subnets behind the fortigate (specified in the policys also)? In that case how is it possible for them to reach those subnets behind the fortigate if there is no routing address specified. This is making my head spinning now!!
3 REPLIES 3
NilaSark
New Contributor II

Hi 
 
Can you please share the output of :

config vpn ssl web portal
show full-configuation | grep split
Nik
New Contributor II

Hi Niladri,

# show full-configuration | grep split
set split-tunneling enable
set split-tunneling-routing-negate disable
set ipv6-split-tunneling enable
set ipv6-split-tunneling-routing-negate disable
set split-tunneling enable
set split-tunneling-routing-negate disable
set ipv6-split-tunneling enable
set ipv6-split-tunneling-routing-negate disable
set split-tunneling enable
set split-tunneling-routing-negate disable
config split-dns
NilaSark
New Contributor II

Hello Fisnik,

From what I understand for the information provided is that you might be trying to add FQDNs to be a part of the split tunnel. Now FQDNs are not supported by SSL VPN split tunnel routing address. SO to achieve this we use firewall policies. Please find the relevant KB here : https://kb.fortinet.com/kb/documentLink.do?externalID=FD46248
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.