Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SSL-VPN with split tunneling mode
Hi,
I just want to know what other thinks about this setup.
I have a client with ssl-vpn enabled on their network, and they are using ssl-vpn tunnel mode with split tunneling enabled but there is no routing address specified. Furthermore they are using a policy route which sends all the traffic coming from the ssl-vpn tunnel interface (ssl.root) to a specific destination on the internet. Then they have different policys which regulates the traffic from the sslvpn users toward different subnets behind the fortigate. A very wierd setup for my eyes! Should they specify the routing address if they want to reach the subnets behind the fortigate (specified in the policys also)? In that case how is it possible for them to reach those subnets behind the fortigate if there is no routing address specified. This is making my head spinning now!!
I just want to know what other thinks about this setup.
I have a client with ssl-vpn enabled on their network, and they are using ssl-vpn tunnel mode with split tunneling enabled but there is no routing address specified. Furthermore they are using a policy route which sends all the traffic coming from the ssl-vpn tunnel interface (ssl.root) to a specific destination on the internet. Then they have different policys which regulates the traffic from the sslvpn users toward different subnets behind the fortigate. A very wierd setup for my eyes! Should they specify the routing address if they want to reach the subnets behind the fortigate (specified in the policys also)? In that case how is it possible for them to reach those subnets behind the fortigate if there is no routing address specified. This is making my head spinning now!!
Labels:
- Labels:
-
General
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Can you please share the output of :
config vpn ssl web portal
show full-configuation | grep split
Can you please share the output of :
config vpn ssl web portal
show full-configuation | grep split
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Niladri,
# show full-configuration | grep split
set split-tunneling enable
set split-tunneling-routing-negate disable
set ipv6-split-tunneling enable
set ipv6-split-tunneling-routing-negate disable
set split-tunneling enable
set split-tunneling-routing-negate disable
set ipv6-split-tunneling enable
set ipv6-split-tunneling-routing-negate disable
set split-tunneling enable
set split-tunneling-routing-negate disable
config split-dns
# show full-configuration | grep split
set split-tunneling enable
set split-tunneling-routing-negate disable
set ipv6-split-tunneling enable
set ipv6-split-tunneling-routing-negate disable
set split-tunneling enable
set split-tunneling-routing-negate disable
set ipv6-split-tunneling enable
set ipv6-split-tunneling-routing-negate disable
set split-tunneling enable
set split-tunneling-routing-negate disable
config split-dns
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Fisnik,
From what I understand for the information provided is that you might be trying to add FQDNs to be a part of the split tunnel. Now FQDNs are not supported by SSL VPN split tunnel routing address. SO to achieve this we use firewall policies. Please find the relevant KB here : https://kb.fortinet.com/kb/documentLink.do?externalID=FD46248
From what I understand for the information provided is that you might be trying to add FQDNs to be a part of the split tunnel. Now FQDNs are not supported by SSL VPN split tunnel routing address. SO to achieve this we use firewall policies. Please find the relevant KB here : https://kb.fortinet.com/kb/documentLink.do?externalID=FD46248
