In some FortiOS versions, the following sslvpn debug command shows the firewall address enabled on the SSL VPN firewall policy, which is injected into the FortiClient once the user is successfully connected to the SSL VPN.

diagnose debug disable
diagnose debug reset

diagnose vpn ssl debug-filter src-addr4 x.x.x.x <----- Public IP of the endpoint.
diagnose debug application sslvpn -1
diagnose debug console timestamp enable
diagnose debug enable

In this example, the firewall address 4.2.2.2/32 enabled as the destination address on firewall policy ID 321 is supposed to be injected into the FortiClient:

The firewall address is created:

config firewall address
    edit "4.2.2.2/32"
        set subnet 4.2.2.2 255.255.255.255
    next
end

The option 'Enabled Based on Policy Destination' is enabled on the SSL VPN portal:

config vpn ssl web portal
    edit Navan_POC
        set split-tunneling enable
end

The SSL VPN setting is properly configured:

config vpn ssl settings
    set servercert "Fortinet_Factory"
    set source-interface "port2"
    set source-address "all"
    set default-portal "full-access"
        config authentication-rule
            edit 1
                set groups "VPN_Users"
                set portal "Navan_POC"
            next
        end
end

The created firewall address is enabled as the destination address on the policy:

config firewall policy
    edit 321
        set name "VPN_POC"
        set srcintf "ssl.root"
        set dstintf "port8"
        set action accept
        set srcaddr "all"
        set dstaddr "4.2.2.2/32" <---
        set schedule "always"
        set service "ALL"
        set groups "VPN_Users"
    next
end

After the user is connected to the SSL VPN, it is seen from the debug output that the destination address of the SSL VPN policy is injected into the FortiClient after the SSL VPN is connected to the VPN:

2025-07-18 12:19:38 [3948:root:19a1]deconstruct_session_id:492 decode session id ok, user=[tester],

group=[VPN_Users],authserver=[],portal=[Navan_POC],host[95.3.2.38],
realm=[],csrf_token=[459DD256F8E1E455B1B60E04EF7C781],idx=0,auth=256,sid=7bf68c33,login=1752833978,access=1752833978,

saml_logout_url=yes,pip=95.3.2.38,grp_info=[LPrCLl],rmt_grp_info=[kEH3Pl]
2025-07-18 12:19:38 [3948:root:19a1]sslvpn_reserve_dynip:1544 tunnel vd[root] ip[10.212.134.200] app session idx[0] <--- An IP from the SSL VPN IP pool was assigned to the connected user.
2025-07-18 12:19:38 [3948:root:19a1]form_ipv4_pol_split_tunnel_addr:113 Matched policy (id = 321) to add ipv4 split tunnel routing address <--- Address enabled on firewall policy ID 321 is injected to FortiClient.
2025-07-18 12:19:40 [3943:root:19a1]SSL state:fatal decode error (95.3.2.38)
2025-07-18 12:19:40 [3943:root:19a1]sslvpn_read_request_common,863, ret=-1 error=-1, sconn=0x7f86dbae2000.
2025-07-18 12:19:40 [3943:root:19a1]Destroy sconn 0x7f86dbae2000, connSize=0. (root)
2025-07-18 12:19:41 [3949:root:19a1]allocSSLConn:310 sconn 0x7f86dbb3e800 (0:root)

Here is the screenshot from the routes on user's PC after VPN connection:

On Linux, the command is usually 'ip route'. Here is an example of this output on Ubuntu:

Related articles:
Technical Tip: Enabling split tunnel feature for SSL VPN using policy destination

Technical Tip: Access to Specific FQDN using Split Tunnel SSL VPN