| Description | This article describes how to disable split tunneling for specific group/s and enable it for other groups/users. |
| Scope | FortiGate. |
| Solution |
By default, there are three default SSL VPN Portals available on the FortiGate (full-access, tunnel-access, and web-access). Full access by default is configured with 'split tunneling' enabled.
There are scenarios where administrator wants to disable 'split tunneling' for a specific user group to have traffic from those users pass through FortiGate for scanning or logging while enabling 'split tunneling' for other user groups.
Here are the steps to configure it. Let's assume there are already two SSL VPN group users:
Example:
Step 1: Create another SSL-VPN Portal with the same parameters of 'full-access' except disable the 'Enable Split Tunnel'.
Go to VPN -> SSL-VPN Portal -> Create New.
To create SSL-VPN Portal in the CLI:
config vpn ssl web portal edit full-access_Split-Disabled set tunnel-mode en set split-tunneling disable set ip-pools SSLVPN_TUNNEL_ADDR1 next end
Step 2: Map the User groups to correct the SSL VPN Portal according to the needs. In this case, the 'SSL-VPN_User_Ena' group has been mapped to 'full-access' to enable the split tunnel then mapped the 'SSL-VPN_User_Dis' group to 'full-access_Split_Disable' to disable the split tunnel.
Configure 'All other Users/Groups' to 'full-access': Go to VPN -> SSL-VPN Settings -> Authentication/Portal Mapping:
To map user groups to SSL-VPN Portal in the CLI:
config vpn ssl settings config authentication-rule edit 1
Step 3: Configure the Firewall policy for SSL VPN.
Configuring inbound firewall policy for both users. On the inbound Firewall policy, it is possible to include both User Groups this will allow them to access the internal subnets on FortiGate:
Create an outbound firewall policy for the Users with Split tunnel disabled. Do not include the User group with split tunnel enabled on this Firewall policy since it will experience an issue with saving the Firewall policy as a destination all then the User has split tunnel enabled.
To create firewall policies in the CLI:
config firewall policy set nat enable
Expected behavior after the configuration, Remote group SSL-VPN_User_Ena will forward the external traffic to their Internet gateway while the Remote group SSL-VPN_User_Dis will forward the external traffic to the FortiGate.
Note (Known Issues): There are a couple of known issues (879329, 930275) where if a FortiGate firewall is configured with a split tunnel portal as well as a full tunnel portal:
Destination address of split tunneling policy is invalid.
Workaround/Fix: The following workarounds can be helpful: Workaround 1: Instead of 'all', the destination can be set as '0.0.0.0/1' + '128.0.0.0/1'. (Split 'all' into two networks). Workaround 2: Use the full tunnel in a separate realm. When used in a separate Realm, it should be possible to configure the destination as 'all' or to create a new address object for '0.0.0.0/0' which can then be used in the policy.
These workarounds can ensure that the issue is not seen again, after a reboot (bug 879329).
The known issue is addressed in FortiOS versions 7.2.8 and 7.4.2.
Related document: |
