Description
This article describes the option to negate the split tunneling 'Routing Address' that was introduced starting from FortiOS 6.4.0. The option is available exclusively through the CLI, and it supports IPV4 and IPV6.
This option also needs a compatible FortiClient (at least 6.4.0).
Related document:
Changes in CLI - FortiOS 6.4 release notes.
Scope
FortiOS v6.4 and above.
Solution
From CLI:
config vpn ssl web portal
edit “tunnel-portal name”
set split-tunneling-routing-negate [enable | disable] <----- Added.
set ipv6-split-tunneling-routing-negate [enable | disable] <----- Added.
next
end
After enabling the split-tunneling-routing-negate option, all other traffic except for negated routes will go through the tunnel.
To be noted that when enabling the option, ALL routing-address objects will be negated.
There is no option of using mixed addresses (negated and un-negated).
Using ISDB addresses is also not an option.
To add Routing Address objects from CLI:
config vpn ssl web portal
edit “tunnel-portal name”
set split-tunneling-routing-negate enable
set split-tunneling-routing-address “Addr” ---------->The defined Address object will not come into the FGT once vpn connected.
next
Note:
When 'split-tunneling-routing-negate' is enabled the 'split-tunneling-routing-address' will function as an exclusion list i.e. any address which needs to be excluded from being routed via the FortiGate can be updated here.
When split-tunneling is enabled, the destination of the firewall policy for SSLVPN traffic can't be 'All'. It is possible to negate the same address group under the firewall policy. To be able to see this option on the GUI, go to System -> Feature Visibility -> Enable Policy Advanced Options.
config firewall policy
edit 1
set dstaddr-negate enable
set dstaddr "Addr"
end
