Description
This article describes how to negate or exclude addresses from 'Routing Address' with SSL-VPN split tunnel SSL-VPN.
Scope
FortiGate.
Solution
The option is only available in the CLI.
config vpn ssl web portal
Description: Portal.
edit <name>
set tunnel-mode [enable|disable]
set split-tunneling [enable|disable] <-- Once enabled, 'Routing Address' will be visible.
set split-tunneling-routing-negate [enable|disable] <-- It is necessary to enable this option to exclude the address from 'Routing Address'.
set split-tunneling-routing-address <name1>, <name2>, ... <-- It is possible to specify the address to exclude from routing.
end
end
For example, to exclude office365 access through the tunnel, perform the following steps.
1) Enable 'split tunneling'
2) Enable 'split-tunneling-routing-negate'.
3) Add the address for office365.
Note: while split-tunneling is enabled, the FortiGate will use the policy to determine the subnets to push into the client.
Since it's split-tunnel, it is not possible to use 'all' as a destination in the policy to push the default route.
To fix the 'all' issue, configure a firewall policy with the addresses the user wants to negate as the destination address on the policy and enable 'dstaddr-negate' in the CLI.
Any outgoing traffic will use the policy.
config firewall policy
edit x
set dstaddr-negate enable
end
end
The following FortiClient versions support the split-tunneling-routing-negate feature:
Windows FortiClient v6.4.0 and later.
Mac FortiClient v7.0.1 and later.
Note: The ISDP object will not support split tunneling (such as with Office365, which means it is necessary to manually build an address group and include all of the O365 addresses.)
Related article:
Technical Tip: How to negate/exclude address from 'Routing Address' under split tunnel SSL VPN.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.