Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
haljawhari
Staff
Staff

Created on ‎08-16-2020 12:24 PM Edited on ‎09-10-2025 10:55 AM By Moderator

Article Id 198287

Technical Tip: Configuration of split tunnel addresses on Mac OS When the options are manually set

Description

 

In some scenarios, the config mode option may be disabled on a dial-up client-to-site IPsec VPN tunnel.
The Assigned IP address, DNS server and split tunnel addresses are manually set.
However, the split tunnel option is not visible in the GUI of the MacOS version of FortiClient.

This article describes how configure split tunnel addresses on Mac OS When the options are manually set.

 

Scope

 

FortiClient.

Solution


The solution is to add the split tunnel routing addresses by editing the tunnel settings from FortiClient configuration file and restoring it back after making the changes.

Note: The same configuration works on the Windows version of FortiClient.
Mac OS version has been explicitly mentioned because of the feature's invisibility in the platform's FortiClient GUI.

Note:
FortiClient Requires 'Full Disk Access' permissions in MacOS Privacy Settings in order for the configuration restore feature to work.
Refer to FortiClient MacOS release notes for more details.

 

  1. Download Forticlient configuration backup (XML file) from FortiClient settings.
  2. Open the file using a text editor (e.g. NotePad++).
  3. Search for the IPsec tunnel name.
  4. The split tunnel addresses are added under the <remote_networks> tag under the required tunnel.

Each address is added in a <network> tag as per the example below (the split tunnel configuration is in bold text - other irrelevant parts of the configuration are removed for simplicity):

 



<ipsecvpn>
            <options>
                …
                …
            </options>
            <connections>
            …
            …
                <connection>
                    <name>IPSEC_TUNNEL_1</name>
                    <type>manual</type>
                    <ike_settings>
                       …
                       …
                    </ike_settings>
                    <ipsec_settings>
            <remote_networks>
           <network>
    <addr>172.16.100.0</addr>
    <mask>255.255.255.0</mask>
          </network>
           <network>
    <addr>172.16.120.0</addr>
    <mask>255.255.255.240</mask>
           </network>     
            …
            …             
       </ipsec_settings>
         …
         …
     </connection>
      …
      …
   </connections>
</ipsecvpn>

Labels:
5950
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.