FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
Article Id 198757


An understanding of how routes are populated in FortiClient SSL VPN Tunnel Mode is useful in order to avoid configuration issues where some networks cannot be accessed due to missing routes.


FortiClient SSL VPN + FortiOS 4.3, 5.0, 5.2


In FortiOS 5.0 routes are populated based on destinations included in the SSL VPN auth policy (with action ssl-vpn) and are not based on tunnel access policies (with ssl.root interface).

[Protected networks] --- [FortiGate] --- <SSL VPN TUNNEL MODE> --- [FortiClient]

Add all accessed (protected) networks to auth policy as a destination; only these destinations will be populated to the SSL VPN client routing table when split-tunneling is enabled.

The situation is more intuitive in FortiOS 5.2 where on the "VPN > SSL > Portals" page the "Routing Address" can be explicitly defined as shown below: