Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
yanivg11
New Contributor II

Created on ‎02-20-2024 12:37 AM Edited on ‎02-20-2024 12:46 AM

FQDN through Split tunnel overrides the default route and block internet for MAC users

Hi All,

We have followed this article to set FQDN access using Split tunnel:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Access-to-Specific-FQDN-using-Split-Tunnel...

 

The users are able to access the FQDN thought the split-tunnel as expected.

However we noticed that MAC users are unable to browse internet while connected with FortiClient.

 

While looking into this we noticed that both Windows users and MAC users get a new default route when connecting with FortiClient.

But while Windows users are still able to browse the internet, MAC users are not.

First screenshot is from Windows user with FortiClient connected, this user is still able to browse the internet although the new default route:

Windows user.png

Second screenshot is from MAC user, before and after FortiClient connected,

Once the FortiClient is connected this user is unable to browse the internet:

MAC user.jpg

 

Any advice? tnx

Labels:
1912
0 Kudos
12 REPLIES 12
AEK
SuperUser
SuperUser

Created on ‎02-20-2024 02:28 AM

Hello @yanivg11 

In split tunnel mode a defaut route through tunnel should not be injected, but only routes to specific resources. However in your screenshots we can see that default gateways were injected.

Check it any ssl vpn related policy contains "any" as destination. If so, remove it and put the specific internal destinations instead, then try reconnect to VPN to check if specific routes are injected instead of default GW.

AEK
AEK
1482
yanivg11
New Contributor II
In response to AEK

Created on ‎02-20-2024 09:45 AM

hi AEK, thank you for your reply, I have checked the policy but we have no "ANY" as destination for our SSLVPN groups.

1448
0 Kudos
AEK
SuperUser
SuperUser
In response to yanivg11

Created on ‎02-20-2024 01:47 PM

Hi @yanivg11 

As stated in the document, unresolved FQDN can cause connection failure (they didn't tell what they mean by failure but it might be a similar case as yours).

So I suspect the issue is caused by some problematic FQDN.

If possible, just as a test, replace the FQDN in the policy by their actual IP addresses, then redo a VPN connection test.

After that if you still have a default address pushed to your client then you can exclude this from being the root cause.

AEK
AEK
1431
yanivg11
New Contributor II
In response to AEK

Created on ‎02-21-2024 12:07 AM

hi AEK,

I have removed all FQDN from the rule and kept only 8.8.8.8 as IP, not name:

* the test group "Dynamic_Test_Group" isnt in any other rule, only this one

policy.png

however the extra route still showing after the ForitClient gets connected:
route.png

1408
AEK
SuperUser
SuperUser
In response to yanivg11

Created on ‎02-21-2024 12:38 AM

Hi @yanivg11 

This shouldn't be.

Then I suggest first update FortiClient to 7.0.14 since there are several split tunnel related issues on 7.0.9.

https://docs.fortinet.com/document/forticlient/7.0.9/windows-release-notes/991883/known-issues

AEK
AEK
1402
yanivg11
New Contributor II
In response to AEK

Created on ‎02-21-2024 01:15 AM Edited on ‎02-21-2024 01:16 AM

Hi AEK,

First thank you for all your help.

Just fyi, I went even further and removed the "Dynamic_Test_Group" from all policy rules,

yet I'm still getting the extra route once the FortiClient connected, meaning that it is coming from the Portal mapping:

mapping.png

 

1393
0 Kudos
hbac
Staff
Staff
In response to yanivg11

Created on ‎02-21-2024 06:31 AM

@yanivg11,

 

If you removed the "Dynamic_Test_Group" from all policies, you should not be able to connect to the VPN. Please make sure you are connecting to the correct SSLVPN portal. You can check the log to verify that. Also make sure there's no SSLVPN policies with destination=0.0.0.0/0. 

 

Regards, 

1371
yanivg11
New Contributor II
In response to hbac

Created on ‎02-22-2024 01:19 AM Edited on ‎02-22-2024 01:20 AM

Hi I thought so also, however even though that the group does not exist in any policy, the VPN connection keep working.

I believe this is a difference in the behavior between static to dynamic portals.

 

I have upgraded the FortiClient on both Windows and MAC.
For Windows it is now  - 7.2.3.0929

For MAC it is now - 7.2.3.0822

 

After the FortiClient upgrade:

For Windows - the extra default route issue disappeared completely.

For MAC - same issue, the extra route is still added and the internet keep getting blocked.

1344
0 Kudos
AEK
SuperUser
SuperUser
In response to yanivg11

Created on ‎02-22-2024 01:47 AM

I think, since the latest FortiClient patch has fixed Windows split tunnel related issue, I think Fortinet will/should do the same for Mac soon.

Try open a ticket to speed up this fix, or they can even send you a quick patch.

AEK
AEK
1338
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.