Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
krzysztof
New Contributor

SSL VPN split tunneling issue - how to enable split tunneling only for a few subnets?

Hello,

 

I would like to create simple configuration for remote SSL VPN:

I want remote user to use split tunneling only for a few subnets (let's say youtube, office365, teams etc.) and the rest of the traffic should go into the corporate network (through the tunnel).

 

Actually, I am not able to achieve this goal.

The opposite configuration is straightforward (i.e. the whole remote user' traffic breaks locally and only a few networks go into the tunnel).

Unfortunately, this is not what I need ...

 

I tried to uses "DENY" rule to exclude particular subnets from being tunneled and allow all the rest. But it didn't seem to work properly.

 

At the moment in our network we don't use split tunneling at all.

My idea is to only enable it for specific subnets in the Internet (to take some load off the the corporate backbone) and have the rest of the traffic (Internet traffic included) to be inspected by corporate Fortigate.

 

Please let me know if you have any ideas how to address it.

 

Firmware I use:

FortiClient 6.2.7 FortiGate - 6.0.11

 

Regards,

Krzysztof

 

 

 

 

5 REPLIES 5
waltvs
New Contributor

Hi,

 

Did a quick search now and it seems this functionality was introduced in V6.4: 

 

https://docs.fortinet.com/document/forticlient/6.4.0/new-features/234887/application-based-split-tun...

 

Hope you have a model that supports the 6.4 branch. :)

HaTiMuX
New Contributor III

Hi,

 

You can use the following command:

 

config vpn ssl web portal edit "Split" set tunnel-mode enable set split-tunneling-routing-negate enable set split-tunneling-routing-address "Split-Group-Not-to-Use" The command is only available in FortiOS 6.4

 

Ref: https://kb.fortinet.com/k....do?externalID=FD49267

krzysztof

Guys - thanks for your suggestion! It looks like a valid solution.

 

The only problem is that we probably will not be upgrading to 6.4.4 any time soon.

Unfortunately Fortinet has pretty bad reputation regarding the quality/stability of their newest firmware versions ;-(

 

At this point I am trying to find a workaround in 6.0.11 (or 6.2.7).

 

Regards,

Krzysztof

ForMar
New Contributor

This sounds like a valid option, but im a fortigate noob.

How to negate/exclude address from 'Routing Address' under split tunnel SSL VPN (fortinet.com)

 

 

Im such a noob, that i have difficulty to tell if a question is already answered :-}

krzysztof

ForMar wrote:

This sounds like a valid option, but im a fortigate noob.

How to negate/exclude address from 'Routing Address' under split tunnel SSL VPN (fortinet.com)

 

 

Im such a noob, that i have difficulty to tell if a question is already answered :-}

Hello,

 

It is good solution by all means. The only issue is that this feature is availably only in the newest firmware version - 6.4 which is not a good option for me 

(I need something in 6.0 or 6.2 - hence they are proven to be quite stable in the production).

 

Regards,

Krzysztof

Labels
Top Kudoed Authors