FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 198108


This article shows the steps to enable split tunneling feature and route only internal traffic via tunnel.


In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate.

Without split tunneling, all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the user’s PC and the head office FortiGate unit.
Connections to the Internet are routed back out the head office FortiGate unit to the Internet. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user.

Create internal subnet address object range as shown below:

Via GUI:
Go to Policy & Objects > Addresses
Select 'Create New' and add the head office server address:

Via CLI:
#config firewall address
    edit "Internal_subnet"
        set subnet
Via GUI:
Go to VPN -> SSGo to VPN -> SSL-VPN Portals
Select 'tunnel-access'

Enable option 'Enable Split Tunneling' and select the Internel Subnet Address object under Routing address option.
Via CLI:
#config vpn ssl web portal
    edit "tunnel-access"
        set ip-pools "SSLVPN_TUNNEL_ADDR1"
        set split-tunneling-routing-address "Internal_subnet"

With this configuration, the prefix defined as 'Internal subnet' will be pushed to the client and a static route will be added via the tunnel interface.



If the routing Address field is left blank, then the destination subnet configured in the firewall policy that allows the traffic from the ssl tunnel interface and the user/user group, will be pushed to the client. Configuring an Internet Service as destination in the firewall policy will not push the whole list of IP addresses containing in that particular Internet Service. It will pus a default route.


If both are configured, the "Routing Address" defined in the SSL-VPN portal takes precedence over the one configured in the firewall policy as destination.

Note: Post enabling split-tunnel feature it's not possible to select destination address as all in IPv4 policy.
Select Internal-subnet as the destination in SSL-VPN to LAN policy. Only one policy from SSL.root interface to LAN interface is needed.
Via CLI when not defining user/group in the SSL-VPN policy, it is still possible to use destination address which will enforce a default route when using the tunnel.
# config firewall policy
    edit 0
        set srcintf "ssl.root"
        set dstintf "port1"
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "all" <--
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
SSL VPN policies without user/group allocation are used for all SSL-VPN tunnel connections.