Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hbac
Staff
Staff

Created on ‎09-24-2023 09:05 PM Edited on ‎07-24-2025 05:38 AM By Moderator

Article Id 275443

Technical Tip: How to configure split and non-split SSL VPN tunnel using realms

Description

This article describes how to configure split and non-split SSL VPN portals at the same time using realms.

This will allow users to choose to connect to a split or non-split tunnel.
Scope FortiGate.
Solution

In this example, the default realm is used for the split tunnel, and it is necessary to create a new realm named 'non-split' for the non-split tunnel.

 

  1. Configure two SSL-VPN portals. One with Split tunneling enabled and one with Split tunneling disabled:

 

                    vpn portal.PNG

 

  1.  Enable ‘SSL-VPN Realms’ on the GUI from System -> Feature Visibility -> SSL VPN Realms.

 

                                          vpn realms.PNG

 

  1. Create a new ‘SSL-VPN Realms’ on the GUI from VPN -> SSL-VPN Realms -> Create New -> URL Path = non-split.

 

                                           realmm.PNG

 

Under VPN -> SSL-VPN Settings -> Authentication/Portal Mapping, map Users/Groups to the corresponding Realms and Portals.

 

Note:

It is not possible to map the same group to different realms. If the same group needs to be used, it is possible to clone that group and give it a different name. In this example, ‘Guest-group’ is used for the split tunnel, and ‘Guest-group-non-split’ is used for non-split. ‘Guest-group-non-split’ was cloned from ‘Guest-group’.

It is also possible to map different groups to different realms and portals:

 

                                                    mapping.PNG

 

  1. Create a Firewall Policy to allow traffic from the SSL VPN interface (ssl.root) to the internal interface (port2) for ‘Guest-group’ and ‘Guest-group-non-split’ to access the internal network. In this example, port2 is the internal interface.

 

                                              policy2.PNG

 

  1. Create a Firewall Policy to allow traffic from the SSL VPN interface (ssl.root) to the external interface (port1) for ‘Guest-group-non-split’ to access the Internet. In this example, port1 is the Internet-facing interface (WAN).

 

                                            wan1.PNG

 

  1. On the FortiClient, create two VPN connections. One for split and one for non-split. To connect to the non-split realm, it is necessary to add the realm name to the URL. In this example, it is https://192.168.3.1:8443/non-split

 

                   split.PNGclient.PNG

 

After that, users will be able to choose which VPN connection to connect to (split or non-split). 

 

Note:

If the user mistyped the realm (for example, https://192.168.3.1:8443/non-split1), then the user will be returned to the login screen again as that realm is not present on the FortiGate. If a user tries the same URL from the web browser, it will return the error 'Access denied' page. 

 
 

Access Denied.png

 

Note: Starting v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN':

SSL VPN tunnel mode replaced with IPsec VPN

Agentless VPN

 

Migrate SSL VPN to IPsec VPN:

SSL VPN to IPsec VPN

SSL VPN full tunnel for remote user
4220
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.