• When 'Enabled Based on Policy Destination' is enabled inside of a portal, all users who hit that portal will have the 'Destination' field of the Firewall Policy injected inside of the routing table on the PC to be sent to the FortiGate.

• In versions between 7.2.8 - 7.2.10, it is possible to use 'ALL' as the destination. This will act the same as if split tunneling was set to disabled: all traffic will go to the VPN.
• In other versions, the FortiGate will throw an error when 'ALL' is attempted to be configured. More details can see here: Technical Tip: SSL VPN firewall policy allows destination 'all' for groups with split tunnel enabled....
• That means the user's internet traffic will use the home/remote office ISP directly instead of the ISP connected to the FortiGate except for specific destinations allowed on firewall policies where ssl.root is the 'incoming interface'.
• If a user account belongs to multiple user groups, and each group is assigned a different portal, the first group the authentication daemon matches for that user will be the one it will use in the policy. This can be checked with the commands at the end of this article.
• This is important in the case of split-tunneling SSL VPN portals as it means the user will authenticate based on the order of the firewall policy that has that user group as the source and allowed subnets will be controlled by the policy that matches the group or portal the user connects with.
  This article goes over this behavior in more detail: Technical Tip: A quick guide to FortiGate SSL VPN authentication and common issues and misunderstand....
• Common commands to troubleshoot users connecting to the wrong SSL VPN portal:

exec vpn sslvpn list

diag debug application sslvpn -1

diag debug application fnbamd -1 <----- In case of local user account.

diag debug application radiusd -1 <----- Radius user account.

diag debug application samld -1 <----- In case of SAML authentication.

diag debug console time en

diag debug en