Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
GersonLestrange
New Contributor II

SSL VPN FQDN

Keeping Split Tunneling routing address blank in SSL-VPN portal. be able to use FQDN addresses

so my collaborator's internet goes out through fortigate, or through the internet from his own home?

 

Leaving Split Tunning blank, when checking the IP that the Client is going out to the internet, it is the Company's IP. Is internet traffic going all the way through Fortigate?

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Access-to-Specific-FQDN-using-Split-Tunnel...

2 Solutions
Debbie_FTNT

Hey Gerston,

it seems likely that when you enable split-tunneling but DON'T specify a routing address, all traffic goes through the VPN.

You could check the routing table on your PC.

For Windows for example, open the command prompt and type 'route print'

-> it should include a route with destination 0.0.0.0 and interface your SSLVPN tunnel IP, if all traffic is routed via the VPN

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

pminarik

When the split-route list is left empty, the FortiGate is supposed to automatically generate a list of routes based on the destination address objects in relevant SSL-VPN firewall policies. (I am not sure if it accepts all types of address objects, e.g. IP ranges)

[ corrections always welcome ]

View solution in original post

8 REPLIES 8
Toshi_Esumi
Esteemed Contributor II

Not sure it's your statement or question. Checking IP like "What is my IP" at Google doesn't prove the FQDN is working because the test's destination is Google, not the FQDN. You need to traceroute to the FQDN using the same DNS server your FGT is using.

Or just check the routing table at your client machine described in the KB.

 

Toshi

GersonLestrange

Let me clarify better.

When I'm using Split Tunning in White, if I make a query of my Internet IP, it shows me the IP of the company's wan.

GersonLestrange_0-1654753932043.png

 

When I'm using Split Tunning with addresses in the Routing Address, if I make a query of my Internet IP it shows me the IP of my carrier's wan at home.

GersonLestrange_1-1654754009030.png

 

GersonLestrange

Using Split Tunning Blank, is my traffic all going through the VPN?

Debbie_FTNT

Hey Gerston,

it seems likely that when you enable split-tunneling but DON'T specify a routing address, all traffic goes through the VPN.

You could check the routing table on your PC.

For Windows for example, open the command prompt and type 'route print'

-> it should include a route with destination 0.0.0.0 and interface your SSLVPN tunnel IP, if all traffic is routed via the VPN

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
sw2090
Honored Contributor

I am wondering why FortiOS even allows that setting as it is completely useless to enable split tunneling without setting anything then.

However it seems to thread that as if it were disabled. 

That means with split tunneling on with no setting (or disabled) all traffic will go through the vpn because it will modify your default route.

If you enable split tunneling and set some subnet in there it will not touch your default route but push a route the subnets you specified there.

For that it does not matter wether you use a fqdn or an ip as remote gateway.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

pminarik

When the split-route list is left empty, the FortiGate is supposed to automatically generate a list of routes based on the destination address objects in relevant SSL-VPN firewall policies. (I am not sure if it accepts all types of address objects, e.g. IP ranges)

[ corrections always welcome ]
Toshi_Esumi
Esteemed Contributor II

I agree to pminarik. Because we use it for one of our customers. You probably didn't set the SSL-VPN policy correctly. Read the KB again or show us how the policy looks like.

 

Toshi

GersonLestrange
New Contributor II

Staff is just that.

When Split Tunning is enabled and is blank. VPN traffic will only be directed to the addresses in the Fortigate VPN Rule.

Any other access that is not in the rule will go through the user's internet.

It adds a 0.0.0.0 route to my interface.
And other routes to the addresses set in the VPN Rule in Fortigate.

The article is perfect.. I did all the simulations and it served the purpose to keep Split Tunning blank.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Access-to-Specific-FQDN-using-Split-Tunnel...