FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
aleguizamon
Staff
Staff
Article Id 370184
Description

This article describes a situation where one specific IP needs to be accessed through FortiGate public IP, while keeping a split tunnel enabled in a Dial-up VPN.

Scope FortiGate VPN.
Solution

In this example, remote users need to access a remote website that only allows FortiGate's public IP and a full-tunnel VPN is not a feasible option.

 

  1. Create the Address Object type subnet for the destination IP:


Address.gif

 

Note:

The IPSec VPN does not support FQDN objects for split tunnels: Enable split-tunnel For IPsec VPN - Fortinet Community

  1. Create IPSec VPN under VPN -> IPSec Wizard -> Remote Access -> Client-Based -> FortiClient:
  • Select the incoming interface, and add preshared-key and user group.
  • In the Local interface, select internal/LAN interface and wan interface.
  • In the local address, add the LAN subnet object and the website address created in step1.


Tunnel.gif

 

  1. Go to Firewall policies and adjust the destination address.
  • In the VPN to internal policy, remove the website address from the destination.
  • In the VPN to wan policy, remove the LAN address from the destination.

 

policy_check.gif

Comments
GILMENDO
Staff
Staff

Great job @aleguizamon thank you for your contribution!

MaryBolano
Staff
Staff

Amazing job @aleguizamon, Keep it up!!! ☺

JorgeMonroyPad

Great documentation, @aleguizamon!!! Keep it up!!!