| Description | This article describes how to disable split tunneling to specific group/s and enable it for other groups/users. |
| Scope | FortiGate. |
| Solution |
By default, there are Three default SSL VPN Portals available on the FortiGate (full-access, tunnel-access, and web-access). Full access by default is configured with 'Enable Split Tunnel'.
There are scenarios where some users like to have some of the user groups 'Disable Split Tunnel' to have these users' traffic pass through on FortiGate for scanning or logging.
Here are the steps to configure it. Let's assume there are already two SSL VPN group users:
Example:
Step 1: Create another SSL-VPN Portal with the same parameters of 'full-access' except disable the 'Enable Split Tunnel'.
Go to VPN -> SSL-VPN Portal -> Create New.
Step 2: Map the User groups to correct the SSL VPN Portal according to the needs. In this case, the 'SSL-VPN_User_Ena' group has been mapped to 'full-access' to enable the split tunnel then mapped the 'SSL-VPN_User_Dis' group to 'full-access_Split_Disable' to disable the split tunnel.
Configure 'All other Users/Groups' to 'full-access': Go to VPN -> SSL-VPN Settings -> Authentication/Portal Mapping:
Step 3: Configure the Firewall policy for SSL VPN.
Configuring inbound firewall policy for both users. On the inbound Firewall policy, it is possible to include both User Groups this will allow them to access the internal subnets on FortiGate:
Create an outbound firewall policy for the Users with Split tunnel disabled. Do not include the User group with split tunnel enabled on this Firewall policy since it will experience an issue with saving the Firewall policy as a destination all then the User has split tunnel enabled.
Expected behavior after the configuration, Remote group SSL-VPN_User_Ena will forward the external traffic to their Internet gateway while the Remote group SSL-VPN_User_Dis will forward the external traffic to the FortiGate.
Note (Known Issues): There are a couple of known issues (879329, 930275) where if a FortiGate firewall is configured with a split tunnel portal as well as a full tunnel portal:
Destination address of split tunneling policy is invalid.
Workaround/Fix: The following workarounds can be helpful: Workaround 1: Instead of 'all', the destination can be set as '0.0.0.0/1' + '128.0.0.0/1'. (Split 'all' into two networks). Workaround 2: Use the full tunnel in a separate realm. When used in a separate Realm, it should be possible to configure the destination as 'all' or to create a new address object for '0.0.0.0/0' which can then be used in the policy.
These workarounds can ensure that the issue is not seen again, after a reboot (bug 879329).
The known issue is addressed in FortiOS versions 7.2.8 and 7.4.2.
Related document: |
