| Description | This article describes the process of converting an SSL VPN Full tunnel configuration into a split tunnel configuration. |
| Scope | FortiOS 6.4 or later. |
| Solution |
For this conversion, modification is required to two parts of configuration:
In this case, note that the split tunnel is disabled, which means the VPN is configured for the full tunnel.
To change from full tunnel to split tunnel under SSL VPN portal settings, tunnel mode should be changed from 'Disabled' to 'Enabled Based on Policy Destination'. Selecting 'Enabled Based on Policy Destination' will check the firewall policy 'SSL VPN tunnel to the internal network' and, based on the policy configuration, the firewall will send route information to the SSL VPN client.
For SSL VPN full tunnel to allow traffic from the SSL VPN tunnel to the internal and public networks, two firewall policies are required.
While converting the VPN, the firewall policy 'SSL VPN to WAN' should be deleted. The following picture shows that unnecessary firewall policy.
The following firewall policy will remain in FortiGate:
Results:
Before converting the VPN config, the route table in user's computer is (2 default routes and via VPN has higher priority):
After converting the VPN config, the route table in the user's computer is (Only 1 default route and specific destination route for the LAN):
|
Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Spring Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiSRA
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiScan
- FortiSandbox
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiWAN
- FortiToken
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- RMA Information and Announcements
- Lacework
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
- Fortinet Community
- Knowledge Base
- FortiGate
- Technical Tip: Convert SSL VPN Full tunnel to Spli...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.