Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Arendtsen-BTCS
New Contributor

Inverted split tunnel VPN (FortiOS 6.4.6)

Hi,

 

I have gotten a very special request that I can't figure out if is possible by some kind of magic.

What is wanted is that all traffic except MS Teams traffic is routed through the Fortigate and Teams traffic is directly accessed.


It's a Fortigate 200E with firmware 6.4.6 and the free vpn client going over ssl-vpn.

 

Is there any way to achieve this?



FortiGate#Client

1 Solution
vdralio
Staff
Staff

Hi @Arendtsen-BTCS 

 

Please follow the article below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-tunnel-mode-negating-split-tunneli...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-negate-exclude-address-from-Routing...

 

After enabling the split-tunneling-routing-negate option, it is possible to add the routing-address 'Addr' to be negated either using the GUI or the CLI.
To be noted that when enabling the option, ALL routing-address objects will be negated.

There is no option of using mixed address (negated and un-negated).
 Using ISDB addresses is also not an option.

 

Best Regards,

Vasil

View solution in original post

3 REPLIES 3
vdralio
Staff
Staff

Hi @Arendtsen-BTCS 

 

Please follow the article below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-tunnel-mode-negating-split-tunneli...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-negate-exclude-address-from-Routing...

 

After enabling the split-tunneling-routing-negate option, it is possible to add the routing-address 'Addr' to be negated either using the GUI or the CLI.
To be noted that when enabling the option, ALL routing-address objects will be negated.

There is no option of using mixed address (negated and un-negated).
 Using ISDB addresses is also not an option.

 

Best Regards,

Vasil

Arendtsen-BTCS

That is what I suspected. Thank you.

vdralio

Dear @Arendtsen-BTCS ,

 

Yes, this has some limitation for the moment.

 

If you want this feature in the FortiGate, you can request it as a new feature.
To submit a request you will need to contact your Sales Engineer. They can take in your request and submit it to development, but this does not guarantee that the new feature will be implemented, it will depend on the demand or need for the feature.
Please update me further.

If you require this feature, this has to be addressed through an NFR.
Please be informed that a New Feature Requests need to be working with the Systems Engineer (SE) that covers your territory.
http://www.fortinet.com/aboutus/locations.html

Alternatively, it can be done through Regional Sales Partner Channel
http://www.fortinet.com/partners/reseller_locator/locator.html

 

Best Regards,

Vasil