Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
gmarcuccetti
Staff
Staff

Created on ‎06-18-2020 09:51 AM Edited on ‎01-04-2022 11:49 AM By Anonymous

Article Id 190884

Technical Tip: Disable local network access when split tunnel is disabled

Description
This article describes how to disable local network access for SSL VPN while split tunnelling is disabled.

Solution
This feature for SSL-VPN can be set up to control local LAN traffic, in order to forward it all to the FortiGate.
Enable exclusive-routing via CLI inside the preferred portal, full-access in this example:

# config vpn ssl web portal
    edit full-access
      set exclusive-routing enable
    next
end   

Here there is an example of the feature that works with FortiClient.
Windows network setting :
- Local LAN 192.168.100.19/21.
- SSL VPN address 10.212.134.200.



 
 
Test:
Ping from Windows machine to 8.8.8.8.
 
 
 
 
Sniffer packet on remote FortiGate.
 
 

 
 
Ping from Windows machine to 192.168.100.41 (internal LAN).  
 
 
 
 
Sniffer packet on remote FortiGate.
 
 
       
 
In this example, the packets are not responded to due to a missing policy to allow the ICMP traffic.
 
Note.
To use 'set exclusive-routing enable' with FortiOS 6.4 FortiClient 6.4.2 is needed at least.

 

 

Related Articles

Technical Tip: Enabling SSL VPN Full Tunnel

10124
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.