Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bvanhaastrecht
New Contributor II

How does [set split-tunneling-routing-negate] work?

Hi,

 

I'm trying to figure out how set split-tunneling-routing-negate works. The kb article is also not very helpful.   My goal is to route all traffic into the tunnel, but exclude some IP addresses. Current config without excludes: split-tunneling : enable split-tunneling-routing-negate: disable split-tunneling-routing-address: "AllRanges"   (this is a range from 0.0.0.1-255.255.255.255 which is almost all, as you cant add 0.0.0.0/0 to a split tunnel config)   Now I want to exclude some ranges/ip's so I need to enable split-tunneling-routing-negate, but then the split-tunneling-routing-address starts to work as the excludes list. So how can I combine split-tunnel with destination ranges together with excluding some. I'm confused.   Kind regards, Bastiaan

6 REPLIES 6
sw2090
Honored Contributor

well if you want all traffic to go through the tunnel you don't need split tunneling at all.

You could filter the rest by policy.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
guillaume66

Hi I have one question on ssl vpn, tunnel mode, split tunneling enabled I would like to use split tunneling for a /16 network but exclude some /24 networks (in the same range as the /16 Exemple : Any destination (web) should not go in the vpn tunnel (so i enabled split tunneling) 40.40.0.0/16 should go in the tunnel (added this network to split tunnel address) 40.40.10.0/24 should not go in the tunnel (split tunnelling exclusion ... how to do that) Should i use the negate ? It looks like it is globally negating all the addresses configured and not only some addresse Customer has some public ranges inside his network that should be accessed via vpn and some other subnet that should be accessed directly from endpoint internet connection Thanks for your help Guillaume
sw2090
Honored Contributor

I don't think this will work with split tunneling at all. Split tunneling means the client will get routes to the subnet(s) set in split tunneling pushed from the fortigate.

So if you set 40.40.0.0/16 (which is ipv4 class B) in there the client will get a route to 40.40.0.0/16 pushed.

That route also covers all smaller subnets beyond that class B which includes 40.40.10.0/24 (which is ipv4 class C).

So you cannot strike 40.40.10.0/24 by routing with that.

You would have to forbid that trafic by policy. Make one that covers traffic from vpn to 40.40.10.0/24 and forbids or drops it and make sure it comes before any other policy that matches 40.40.0.0/16.

Then you cannot reach 40.40.10.0/24 from out of vpn but you can still reach the rest of 40.40.0.0/16 of course.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
ChristianK
New Contributor

Hello,

you have to define IP group you want to exclude e.g. 'MS-Teams'

Then you need the following 3 commands:

        set split-tunneling enable         set split-tunneling-routing-negate enable         set split-tunneling-routing-address "MS-Teams"

That's it.

Default routing goes to the tunnel

The network from the group goes to the local breakout.

 

Thanks and best regards,

Christian

sw2090
Honored Contributor

yes with the consequence that then all non local client traffic will go through the tunnel.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
ChristianK

You can define in the group public ranges. These ranges will be routed to the local gateway and not through the tunnel.

Labels
Top Kudoed Authors