Description
This article explains how to allow access to specific site FQDN using split tunnel SSL VPN.
FQDN address is not supported in split tunnel.
Scope
FortiGate 7.2 and FortiOS 4.
Solution
To achieve this requirement, follow the below steps:
- Keep the Split Tunneling routing address blank in the SSL VPN portal.
In FortiOS 7.0.x and above, split tunneling must be enabled based on policy destination.
- Configure the SSL VPN setting to allow access to the portal.
- Configure the FQDN for which it is required to allow access using SSL VPN split tunnel. Go to Policy & Objects -> Addresses -> Create New.
Note:
Address Type should be FQDN.
Example here below of FQDN: example.com.
- Create a firewall policy with the destination address as the FQDN object created in step 3.
- After logging in via split tunnel SSL VPN, the IP address of example.com is installed in the routing table of the SSL VPN client.
At the client's computer, the route of FQDN example.com ( 93.184.16.34) is shown:
C:\Users\fortinet>route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.201.3.146 10.201.3.153 6
10.201.0.0 255.255.240.0 On-link 10.201.3.153 261
10.201.3.146 255.255.255.255 On-link 10.201.3.153 5
10.212.134.200 255.255.255.255 On-link 10.212.134.200 257
93.184.216.34 255.255.255.255 10.212.134.201 10.212.134.200 1 <----- Prefix for FQDN.
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.201.3.153 261
224.0.0.0 240.0.0.0 On-link 10.212.134.200 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.201.3.146 10.201.3.153 6
10.201.0.0 255.255.240.0 On-link 10.201.3.153 261
10.201.3.146 255.255.255.255 On-link 10.201.3.153 5
10.212.134.200 255.255.255.255 On-link 10.212.134.200 257
93.184.216.34 255.255.255.255 10.212.134.201 10.212.134.200 1 <----- Prefix for FQDN.
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.201.3.153 261
224.0.0.0 240.0.0.0 On-link 10.212.134.200 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
===========================================================================
- Add other external addresses in the Firewall policy also, if the customer wants to access an external address and particular FQDN.
At the client's computer, the route of FQDN example.com (93.184.16.34) and prefix 8.8.8.8/32, which was added in the policy, is shown:
C:\Users\fortinet>route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.201.3.146 10.201.3.153 6
8.8.8.8 255.255.255.255 10.212.134.201 10.212.134.200 1 <----- Prefix that was added to the policy.
10.201.0.0 255.255.240.0 On-link 10.201.3.153 261
10.201.15.255 255.255.255.255 On-link 10.201.3.153 261
10.212.134.200 255.255.255.255 On-link 10.212.134.200 257
93.184.216.34 255.255.255.255 10.212.134.201 10.212.134.200 1 <----- Prefix for FQDN.
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.201.3.153 261
224.0.0.0 240.0.0.0 On-link 10.212.134.200 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
===========================================================================
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.201.3.146 10.201.3.153 6
8.8.8.8 255.255.255.255 10.212.134.201 10.212.134.200 1 <----- Prefix that was added to the policy.
10.201.0.0 255.255.240.0 On-link 10.201.3.153 261
10.201.15.255 255.255.255.255 On-link 10.201.3.153 261
10.212.134.200 255.255.255.255 On-link 10.212.134.200 257
93.184.216.34 255.255.255.255 10.212.134.201 10.212.134.200 1 <----- Prefix for FQDN.
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.201.3.153 261
224.0.0.0 240.0.0.0 On-link 10.212.134.200 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
===========================================================================
Whichever address or FQDN is added to the firewall policy of the SSL VPN IPv4 policy that route will get installed in the routing table of the PC it is only needed to keep the Split Tunneling routing address blank in the SSL VPN portal.
- To reach internal resources, create a policy to inject the proper subnets into the Client routing table.
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 10.201.3.146 10.201.3.153 6
8.8.8.8 255.255.255.255 10.212.134.201 10.212.134.200 1 <----- Subnet that was added in the first policy.
192.168.108.0 255.255.255.0 10.212.134.201 10.212.134.200 1 <----- Subnet that was added in the second policy.
192.168.112.0 255.255.255.0 10.212.134.201 10.212.134.200 1 <----- Subnet that was added in the second policy.
192.168.200.0 255.255.255.0 10.212.134.201 10.212.134.200 1 <----- Subnet that was added in the second policy.
10.201.0.0 255.255.240.0 On-link 10.201.3.153 261
10.201.15.255 255.255.255.255 On-link 10.201.3.153 261
10.212.134.200 255.255.255.255 On-link 10.212.134.200 257
93.184.216.34 255.255.255.255 10.212.134.201 10.212.134.200 1 <----- Prefix for FQDN.
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 10.201.3.153 261
224.0.0.0 240.0.0.0 On-link 10.212.134.200 257
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
===========================================================================
Note.
Be sure that the FortiGate resolves the FQDN address object. Unresolved FQDN can cause connection failure.
This feature does not support FQDN with dynamic IP resolution or wildcard FQDN for the following reasons:
- FortiClient only injects routes at the time of connection. If the IP address gets changed or updated while it is connected, FortiClient will not add a new IP address to the client routing table.
- The wildcard FQDN is updated when a DNS query is made from a host connected to FortiGate (DNS traffic passing through a FortiGate) and if there is no DNS query passing through FortiGate, the FQDN will not resolve and FortiClient will not inject any route to the client.
For wildcard, FQDN, or dynamic IP scenario, a full tunnel setup must be used.
Note:
When the SSL VPN portal has a routing address override, it restricts access to specific destinations based on the portal settings. Additionally, configuring an FQDN is not supported in the portal when the override is in place. In this case, either a separate portal must be used or the routing address should be left blank. Once the override settings are removed, the FQDN begins to work as expected.
