Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Changing the current VPN to allow better Web Filtering

Currently I have a FortiGate VPN setup, and all connected users are getting the same web filtering, what I am trying to do is setup so I can give VPN users different Web Filtering based on their AD group.


I currently do this for users not using the VPN but cannot find a way for doing this for VPN connected users, when I try to create a new Firewall Policy, I get the error below.


I am new to FortiGate’s so not sure of the correct way of doing this? I have done some googling but yet to find how I should be setting it up.


I need to do without disrupting current VPN access if possible as used 24/7.


• FortiGate FGT200F Cluster version 7.2
• VPN setup to allow remote connections with 2-factor, LDAP AD authorisation.
• VPN is setup as Split Tunnel.


Firewall Policy to allow VPN traffic into LAN.
• Name: SSLVPN to LAN

• Interfaces: SSL.Root -> LAN.
• Source: SSLVPN_TUNNEL_ADDRESS & Radius Server
• Dest: LAN-Data
• Service: All


Firewall Policy to allow VPN traffic out to Internet.
• Name: SSLVPN to Internet

• Interfaces: SSL.Root -> Virtual-Wan-Link.
• Source SSLVPN_TUNNEL_ADDRESS & Radius Server
• Dest: All
• Service: All
• Security Profile: Web Filter


Error when trying to create another VPN traffic out.
• Destination address of split tunnelling policy is invalid.
• SSL-VPN portal "tunnel-access-split" has split tunnel enabled.
• Which does not allow policy IPv4 destination address to be all.
• Object check operator error, -2008, discard the setting.


By default, a split-tunnel VPN profile gathers the list of "split routes" by scraping the destination addresses from relevant firewall policies. This is why by default the GUI will sometimes block creation of an SSL-VPN policy with destination=all.


I don't recall the exact conditions, it may or may not be also checking user/group=>portal mappings when considering whether to apply this restriction.


You should be able to get rid of this by either:
- switching relevant tunnels to full-tunnel (not split-routing)

- replacing "all" with specific destinations in the affected firewall policies

- switching the relevant(or all?) split-route VPN profiles from automatically learned split routes to a manually defined list.



[ corrections always welcome ]



Thanks for the detailed information, in my Portal there are two routing overrides for LAN & Voice Data which I assume are to route any local VPN traffic locally, I have linked images to my Portal and Firewall setups for reference.


So in order to have different website filtering for users I would need to either stop using Split Tunnel and create more SSL to Wan Firewall policies based on the users group, or replace the current firewall policy SSL to WAN destination "all" with the Overrides setup in the Portal "LAN-Data & LAN-Voice" and then add more Firewall polices with the User Group so they get the relevant Web Filtering applied.. 









The configuration as-is is illogical.

Both policies use the same group, therefore we can expect that they will be assigned to the same SSL-VPN portal.
Let's assume that it will be "tunnel-access-split". This portal has split-routing enabled, and the only VPN routes it will push to the clients are LAN-Data and LAN-Voice. VPN clients will thus _not_ route generic internet traffic through the tunnel, so the SSL-VPN policy for SD-WAN with destination=all will never be used.


if your goal is to route ALL traffic through the tunnel, you must disable split routing. Then the VPN client will route everything into the tunnel.

[ corrections always welcome ]


Not sure what your end objective is here.

If you want users to be able to access internet via the vpn tunnel then a full tunnel would be required (Under split tunnel select Disabled option). Split tunnel is used when you want users to access certain specific resources behind fortigate in your internal network. 

If you want a split tunnel to only LAN resources then they would be going to Internet Via ISP and you won't be able to do any web filtering on it. 

If you have the scenario where certain users only need to access LAN resources on the tunnel and other users who will use LAN resources and internet via tunnel then you can create separate tunnel portals for this- one full tunnel and one split tunnel. 


Hope that helps clarify things a bit. If you have further question, please let me know. 




Top Kudoed Authors