FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
carabhavi
Staff
Staff
Article Id 198692

Description

 

This article describes how to disable the 'Split-Tunnel' feature and create an IPv4 policy for WAN access.

 

Scope

 

FortiGate.

Solution


Disabling the 'Split-Tunnel' option for SSL VPN or IPSec Dialup.

 

For SSL VPN refer to the following:


Go to VPN -> SSL VPN Portals -> Edit SSL VPN Portal and under 'Tunnel Mode' disable 'Enable Split Tunneling'.

 
To disable Split Tunneling in the CLI: 
 
config vpn ssl web portal
    edit <>
        set split-tunneling disable
    next
end 
 
Once the split tunnel option is disabled, all user Internet traffic will reach FortiGate and a VPN interface to WAN policy is needed.
 
 
The incoming interface will be the SSL VPN interface, the outgoing interface will be the WAN interface, and in the above example, port1 is the WAN interface.
 
To create the firewall policy in the CLI: 
 
config firewall policy
    edit 0
        set name "InternetForVPNUsers"
        set srcintf "ssl.root"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
        set groups "VPNGroup"
    next
end
 

For IPSec Dialup refer to the following:

 

Go to VPN -> IPSec Tunnels and under Network, the option for IPv4 Split Tunnel must be disabled.

disable_split tunnel.png

 

To disable the IPv4 split tunnel in the CLI: 

 

config vpn ipsec phase1-interface

    edit dialup

        unset ipv4-split-include

    next 

end

 

Once the IPv4 split tunnel is disabled, a firewall policy from the IPSec Dialup to the WAN policy is needed.

 

Ipsec to wan.PNG

To create the firewall policy in the CLI: 

 

config firewall policy
    edit 0
        set name "IPsec to WAN"
        set srcintf "dialup"
        set dstintf "virtual-wan-link"
        set action accept
        set srcaddr "dialup_range"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set nat enable
    next
end

 

Note:

Doing changes in the IPsec VPN while a user is active will disconnect them. It will then be necessary to reconnect.

 

Related article:

Technical Tip: Disable split tunneling to specific groups and enable it to other group/users