Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Shashwati
Staff
Staff

Created on ‎05-27-2024 09:46 PM Edited on ‎04-22-2025 01:17 AM By Moderator

Article Id 317569

Technical Tip: How to access specific public IPs using SSL VPN Split Tunnel

Description This article describes how to access specific public IPs using SSL VPN Split Tunnel.
Scope FortiGate v6.X and v7.X.
Solution
  1. Configure the SSL VPN portal using Split tunnel mode based on policy destination:

 

1.PNG

 

  1. Configure SSL VPN settings using the portal:

 

4.PNG

 

  1. Configure the Firewall Address object using the specific Public IP address required to access using the SSL VPN Tunnel:

 

2.PNG

 

  1. Configure the Firewall policy from SSL VPN to WAN using a destination-specific Public IP address object:

 

3.PNG

 

Note:

When using Central SNAT, an SNAT policy needs to be created to translate traffic from the SSL VPN interface to the WAN interface. This includes specifying the user group(s) and the destination IP address object.
 

 

central NAT.png

 

  1. Connect to the SSL VPN and Confirm the Public IP route is installed using the Route Print command on the user's machine
  2. SSL VPN users will be able to access only the specific public IP and  Internal network using the VPN Tunnel.
  3. Also, it is possible to add an address object that consists of addresses of the particular domain, for example, Facebook.
                                                                                  
    facebook address group.PNG
  4. Configure the routing address override to route Facebook traffic through the SSL VPN.
                                                                        ssl portal.PNG                                                                                           
  5. Configure the policy from SSL VPN to WAN to allow traffic for the Facebook domain.
                                                                                              
    SSL VPN lab.PNG
  6. Logs:
                                                                          
    forward logs.PNG
  7. Debugs flow to validate the traffic flow Debugs flow to validate the traffic flow:
                                                                                    

debugs.PNG
Note:
Starting v7.6.3, the SSL VPN tunnel mode will no longer be supported by all FortiGate models and SSL VPN web mode will be called 'Agentless VPN'.

 

 

Labels:
2024
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.