| Description | This article describes a behavior change in the SSL VPN regarding split tunnel. |
| Scope | FortiOS 7.2.8 through 7.2.10, SSL VPN, Split Tunnel. |
| Solution |
For versions before 7.2.8, FortiGate used to show the following warning in the CLI and GUI when trying to set the destination to 'all' on the firewall policy matching a group with split tunneling enabled:
From v7.2.8 through v7.2.10, this behavior has changed and the policy started being accepted:
In simple words, a firewall policy with destination 'all' as the destination address means the SSL VPN will become full tunnel, since 'all' means '0.0.0.0/0'.
When checking the routing table on the host connected to the SSL VPN, notice that the SSL VPN will have injected a new default route:
It is also necessary to take into consideration that when using the destination 'all', the SSL VPN will install a default route with a lower 'Metric'. If there is no firewall policy allowing traffic from the SSL VPN to WAN, it means that the user will lose internet access. So, applying the correct destination subnets to the SSL VPN policy is recommended.
Note: Currently, there's no adjustment to prevent the admin from applying destination 'all' to a firewall policy that will match groups with split tunnel enabled planned for v7.2.x, and it has already been adjusted starting from v7.4.0.
|
