Fortinet Community

Description
This article explains how to allow access to specific site FQDN using split tunnel SSLVPN.
FQDN address is not supported in split tunnel.

Solution
To achieve this requirement, follow below steps:

1) Keep Split Tunneling routing address blank in SSL-VPN portal.

2) Configure the SSL-VPN setting to allow access to portal.

3) Configure the FQDN for which it is required to allow access using SSLVPN split tunnel.

Go to Policy & Object -> Address -> Create New >

Note: Address Type should be FQDN

Example here below of FQDN : example.com

 

 

4) Create a Firewall policy with destination address as FQDN.

 

 

 

5) After Login via split tunnel, the ip address of example.com is installed in routing table of SSLVPN.

 

 

At client computer, the route of FQDN example.com ( 93.184.16.34) is shown:

C:\Users\fortinet>route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.201.3.146     10.201.3.153      6
       10.201.0.0    255.255.240.0         On-link      10.201.3.153    261
     10.201.3.146  255.255.255.255         On-link      10.201.3.153      5
   10.212.134.200  255.255.255.255         On-link    10.212.134.200    257
    93.184.216.34  255.255.255.255   10.212.134.201   10.212.134.200      1       <----- Prefix for FQDN
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      10.201.3.153    261
        224.0.0.0        240.0.0.0         On-link    10.212.134.200    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
===========================================================================

 

6a) Add other external address in Firewall policy also, if customer want access external address and particular FQDN.

 

 

 

At client computer, the route of FQDN example.com ( 93.184.16.34) and prefix 8.8.8.8/32, which was added in the policy, is shown:

C:\Users\fortinet>route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.201.3.146     10.201.3.153      6
          8.8.8.8  255.255.255.255   10.212.134.201   10.212.134.200      1       <----- Prefix that was added in policy
       10.201.0.0    255.255.240.0         On-link      10.201.3.153    261
    10.201.15.255  255.255.255.255         On-link      10.201.3.153    261
   10.212.134.200  255.255.255.255         On-link    10.212.134.200    257
    93.184.216.34  255.255.255.255   10.212.134.201   10.212.134.200      1       <----- Prefix for FQDN
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      10.201.3.153    261
        224.0.0.0        240.0.0.0         On-link    10.212.134.200    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306
===========================================================================

 

Whichever address or FQDN added in the firewall policy of SSLVPN IPv4 policy those route will get install in routing table of the PC only need to Keep Split Tunneling routing address blank in SSL-VPN portal.

 

6b) If you want to reach internal resources also, create a policy to inject the proper subnets into Client routing table

 

Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0     10.201.3.146     10.201.3.153      6
          8.8.8.8  255.255.255.255   10.212.134.201   10.212.134.200      1       <----- subnet that was added in the first policy
    192.168.108.0    255.255.255.0   10.212.134.201   10.212.134.200      1       <----- subnet that was added in the second policy
    192.168.112.0    255.255.255.0   10.212.134.201   10.212.134.200      1       <----- subnet that was added in the second policy
    192.168.200.0    255.255.255.0   10.212.134.201   10.212.134.200      1       <----- subnet that was added in the second policy
       10.201.0.0    255.255.240.0         On-link      10.201.3.153    261
    10.201.15.255  255.255.255.255         On-link      10.201.3.153    261
   10.212.134.200  255.255.255.255         On-link    10.212.134.200    257
    93.184.216.34  255.255.255.255   10.212.134.201   10.212.134.200      1       <----- Prefix for FQDN
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306
        224.0.0.0        240.0.0.0         On-link      10.201.3.153    261
        224.0.0.0        240.0.0.0         On-link    10.212.134.200    257
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

===========================================================================

Note.

Be sure that the FQDN address object is resolved by the FortiGate.

 

 

 

 

Unresolved FQDN can cause connection failure.