Description
This article describes the option to negate the split tunneling 'Routing Address' introduced starting from FortiOS 6.4.0. The option is available exclusively through the CLI, supporting IPV4 and IPV6.
This option also needs a compatible FortiClient (at least v6.4.0).
Related document:
Changes in CLI - FortiOS 6.4 release notes
Scope
FortiGate v6.4 and above.
Solution
From CLI:
config vpn ssl web portal
edit “tunnel-portal name”
set split-tunneling-routing-negate [enable | disable] <----- Added.
set ipv6-split-tunneling-routing-negate [enable | disable] <----- Added.
next
end
After enabling the split-tunneling-routing-negate option, all other traffic except for negated routes will go through the tunnel. When enabling the option, ALL routing-address objects will be negated.
There is no option of using mixed addresses (negated and un-negated). Using ISDB addresses is also not an option.
To add Routing Address objects from CLI:
config vpn ssl web portal
edit “tunnel-portal name”
set split-tunneling-routing-negate enable
set split-tunneling-routing-address “Addr” ----> The defined Address object will not come into the FortiGate once the VPN is connected.
next
Note:
When 'split-tunneling-routing-negate' is enabled the 'split-tunneling-routing-address' will function as an exclusion list i.e. any address which needs to be excluded from being routed via the FortiGate can be updated here.
When split-tunneling is enabled, the destination of the firewall policy for SSL VPN traffic can't be 'All'.
It is possible to negate the same address group under the firewall policy. To be able to see this option on the GUI, go to System -> Feature Visibility -> Enable Policy Advanced Options.
CLI:
config firewall policy
edit 29
set srcintf "ssl.root"
set dstintf "SERVER"
set srcaddr "all"
set dstaddr-negate enable
set dstaddr "Addr"
set action accept
set schedule "always"
set service "ALL"
set logtraffic all
set groups "VPN_Users"
end
GUI:
Related article:
