Description
This article describes how to configure the SSL VPN with Split tunnel configuration in which the firewall address configured becomes a trusted destination that will not be tunneled through SSL VPN. All other destinations will be tunneled through SSL VPN.
Scope
FortiGate.
Solution
The split tunnel feature in SSL VPN has two options:
- Enabled Based on Policy Destination: This option will allow routes that are defined as the destination in the policy. To check how it is configured, check the link in the related article.
- Enabled for Trusted Destination: This article shows the steps to enable the SSL VPN split tunnel using this option.
The option 'Enabled for Trusted Destination' will make sure only client traffic that does not match explicitly trusted destinations will be directed over the SSL VPN tunnel. FortiGate will send the default route allowing everything to be routed over the SSL-VPN tunnel except what is explicitly defined in the Routing Address Override, the route on the PC will show if the routes are pushed or not on the PC by FortiClient.
Configuration steps:
Navigate to VPN -> SSL-VPN Portals -> Name the portal then enable 'Tunnel Mode', select 'Enabled for Trusted Destination'
Select VPN -> SSL VPN Settings, enable the SSL VPN, and specify the SSL VPN port in 'Listen on port'. Under Authentication/portal mapping, select the user/group and define the Portal that is configured above.
Then create a firewall policy.
Now connect the SSL VPN and check the routes in the PC with the command 'route print'.
As seen in the routing table above all of the traffic is forwarded to the SSL VPN tunnel with the gateway of the FortiClient gateway 10.212.134.201 except the Excluded address defined in the Routing Address override 192.168.100.150/32 which is forced to the PC's ISP gateway.
In FortiGate FortOS 6.4.x versions, selecting all as the destination in the SSL VPN policy is not supported when split tunneling is enabled. it will only take the specific IP. So, for cases like this where all traffic has to be allowed and cannot define all as the destination a 'Negate Destination' feature can be used. To leverage this feature, enable Policy Advanced Options under System -> Feature Visibility.
And create a policy. Select the same address object as selected in the excluded address under SSL VPN and enable Destination Negate.
This will allow all traffic from the SSL-VPN except the traffic for the destination mentioned in the policy with Destination negate enabled.
Note: Using ISDB, dynamic FQDN, or Wildcard FQDN in the Routing Address Override or as the Destination in the policy is not supported by the split tunnel. However, Static FQDN is supported. If there is a requirement to use multiple IPs then the address object has to be manually defined and used in the Routing Address override or policy destination field.
Related articles:
Technical Tip: Enabling split tunnel feature for SSL-VPN using policy destination
Technical Tip: How to configure split tunnel for SSL VPN using an address override
Technical Tip: Access to Specific FQDN using Split Tunnel SSL VPN
