Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff

Created on ‎09-10-2019 04:35 AM Edited on ‎03-17-2025 07:04 AM By Community Manager

Article Id 198108

Technical Tip: Enabling split tunnel feature for SSL VPN using policy destination

Description


This article shows the steps to enable the split tunneling feature and route only internal traffic via the tunnel.

 

First configure the SSL-VPN tunnel portal that needs to have split tunneling enabled on. Navigate to VPN -> SSL-VPN Portals -> enable 'Tunnel Mode', select 'Enabled Based on Policy Destination'.

 

  Kb 7.3.PNG

 

To enable Split tunneling in the CLI: 

 

config vpn ssl web portal

    edit tunnel-access

    set split-tunneling enable

end 

 

Then enable the SSL VPN, navigate to VPN -> SSL VPN Settings, enable the SSL VPN, and specify the SSL VPN port in 'Listen on port'. Under Authentication/portal mapping, select the user/group and define the Portal that is configured above.

 

Kb 7.2.png

 

To configure SSL-VPN settings in the CLI:

 

config vpn ssl settings
    set servercert "Fortinet_Factory"
    set tunnel-ip-pools "SSLVPN_TUNNEL_ADDR1"
    set source-interface "port1"
    set default-portal "web-access"
    config authentication-rule
        edit 1
            set groups "TestAuthentication"
            set portal "tunnel-access"
        next
    end
end

 

Then create a firewall policy that specifies 'Source' and 'Destination'.  In the field 'Source' specify the user group and the SSL VPN address range configured in the SSL VPN settings. In the field 'Destination' specify the subnet that needs to have access to when connected over SSL VPN.

 

Kb 7.4.PNG

 

Note:

Adjust NAT in scenarios, if do not see any return traffic from the end device due to routing or security restrictions. 

 

To create a firewall policy in the CLI: 

 

config firewall policy
    edit <>
        set name "SSL VPN to LAN"
        set srcintf "ssl.root"
        set dstintf "port2"
        set action accept
        set srcaddr "SSLVPN_TUNNEL_ADDR1"
        set dstaddr "LAN subnet"
        set schedule "always"
        set service "ALL"
        set groups "TestAuthentication"
    next
end

 

This will create a route of the destination subnet that will be injected into the client PC once it is connected over SSL VPN.

To verify the routes on the end device: Run the command on the local Windows device command prompt: 'route print'.

 

Kb 9.4.PNG

 

Similarly, For Linux devices run the command: 'ip route show'.

 

Or:

 

route -n

 

For MAC devices run the command: 'netstat -rn'.

 

Related articles:

Technical Tip: Verify SSL VPN Split Tunnel Route on Windows and Linux

VPN Split Tunneling : Definition, Benefits, Risks, and FAQs

Technical Tip: Enabling split tunnel feature for SSL-VPN using policy destination

Technical Tip: How to configure split tunnel for SSL VPN using an address override

Technical Tip: Access to Specific FQDN using Split Tunnel SSL VPN

Labels:
139929
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.