Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Anonymous
Not applicable

Created on ‎11-22-2022 05:38 PM Edited on ‎08-28-2025 09:45 AM By Moderator

Article Id 230575

Technical Tip: Enabling split tunnel feature for SSL VPN using Trusted Destinations

Description

 

This article describes how to configure the SSL VPN with Split tunnel configuration in which the firewall address configured becomes a trusted destination that will not be tunneled through SSL VPN. All other destinations will be tunneled through SSL VPN.

 

Scope

 

FortiGate.

 

Solution

 

The split tunnel feature in SSL VPN has two options:

  1. Enabled Based on Policy Destination: This option will allow routes that are defined as the destination in the policy. To check how it is configured, check the link in the related article.
  2. Enabled for Trusted Destination: This article shows the steps to enable the SSL VPN split tunnel using this option.

 

The option 'Enabled for Trusted Destination' will make sure only client traffic that does not match explicitly trusted destinations will be directed over the SSL VPN tunnel. FortiGate will send the default route allowing everything to be routed over the SSL-VPN tunnel except what is explicitly defined in the Routing Address Override, the route on the PC will show if the routes are pushed or not on the PC by FortiClient. 

 

Configuration steps:

 

Navigate to VPN -> SSL-VPN Portals -> Name the portal then enable 'Tunnel Mode', select 'Enabled for Trusted Destination'

 

vpn portal ssl.PNG

 

Example configuration in the CLI: 

 

config vpn ssl web portal
    edit "tunnel-access"
        set tunnel-mode enable
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set split-tunneling-routing-negate enable
        set split-tunneling-routing-address "Port2 Address Exclude"
    next
end

 

Note: SSL VPN is removed from 2GB RAM models from 7.6 FortiOS version and SSL VPN web and the tunnel mode feature will no longer be available from the GUI or CLI. Settings will not be upgraded from previous versions. For more information, see SSL VPN removed from 2GB RAM models for tunnel and web mode - FortiOS 7.6.1 release notes.

 

Also from 7.6.3 SSL VPN tunnel mode is completely removed, and only web mode (Agentless VPN) is supported.

For more information, see Technical Tip: Upcoming changes on SSL VPN modes starting from v7.6.3.

 

Select VPN -> SSL VPN Settings, enable the SSL VPN, and specify the SSL VPN port in 'Listen on port'. Under Authentication/portal mapping, select the user/group and define the Portal that is configured above.

 

Kb 9.2.png

 

Example configuration in the CLI: 

 

config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set port 40443
    set source-interface "port1"
    set source-address "all"
    set default-portal "web-access"
    config authentication-rule
        edit 1
            set groups "TestAuthentication"
            set portal "tunnel-access"
        next
    end
end

 

Then create a firewall policy.

 

sslvpn policy.PNG

 

Example configuration in the CLI: 

 

config firewall policy
    edit 0
        set name "SSL-VPN to LAN"
        set srcintf "ssl.root"
        set dstintf "port2"
        set action accept
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set groups "TestAuthentication"
    next
end

 

Now connect the SSL VPN and check the routes in the PC with the command 'route print'.

 

Kb 9.4.PNG

 

As seen in the routing table above all of the traffic is forwarded to the SSL VPN tunnel with the gateway of the FortiClient gateway 10.212.134.201 except the Excluded address defined in the Routing Address override 192.168.100.150/32 which is forced to the PC's ISP gateway.

 

In FortiGate FortOS 6.4.x versions, selecting all as the destination in the SSL VPN policy is not supported when split tunneling is enabled. it will only take the specific IP. So, for cases like this where all traffic has to be allowed and cannot define all as the destination a 'Negate Destination' feature can be used. To leverage this feature, enable Policy Advanced Options under System -> Feature Visibility.

 

kb 9.5.PNG

 

And create a policy. Select the same address object as selected in the excluded address under SSL VPN and enable Destination Negate.

 

kb 9.6.PNG

 

This will allow all traffic from the SSL-VPN except the traffic for the destination mentioned in the policy with Destination negate enabled.

 

Note: Using ISDB, dynamic FQDN, or Wildcard FQDN in the Routing Address Override or as the Destination in the policy is not supported by the split tunnel. However, Static FQDN is supported. If there is a requirement to use multiple IPs then the address object has to be manually defined and used in the Routing Address override or policy destination field.

 

Related articles:

13248
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.