Hi All,
We have followed this article to set FQDN access using Split tunnel:
The users are able to access the FQDN thought the split-tunnel as expected.
However we noticed that MAC users are unable to browse internet while connected with FortiClient.
While looking into this we noticed that both Windows users and MAC users get a new default route when connecting with FortiClient.
But while Windows users are still able to browse the internet, MAC users are not.
First screenshot is from Windows user with FortiClient connected, this user is still able to browse the internet although the new default route:
Second screenshot is from MAC user, before and after FortiClient connected,
Once the FortiClient is connected this user is unable to browse the internet:
Any advice? tnx
Hello @yanivg11
In split tunnel mode a defaut route through tunnel should not be injected, but only routes to specific resources. However in your screenshots we can see that default gateways were injected.
Check it any ssl vpn related policy contains "any" as destination. If so, remove it and put the specific internal destinations instead, then try reconnect to VPN to check if specific routes are injected instead of default GW.
hi AEK, thank you for your reply, I have checked the policy but we have no "ANY" as destination for our SSLVPN groups.
Hi @yanivg11
As stated in the document, unresolved FQDN can cause connection failure (they didn't tell what they mean by failure but it might be a similar case as yours).
So I suspect the issue is caused by some problematic FQDN.
If possible, just as a test, replace the FQDN in the policy by their actual IP addresses, then redo a VPN connection test.
After that if you still have a default address pushed to your client then you can exclude this from being the root cause.
hi AEK,
I have removed all FQDN from the rule and kept only 8.8.8.8 as IP, not name:
* the test group "Dynamic_Test_Group" isnt in any other rule, only this one
however the extra route still showing after the ForitClient gets connected:
Hi @yanivg11
This shouldn't be.
Then I suggest first update FortiClient to 7.0.14 since there are several split tunnel related issues on 7.0.9.
https://docs.fortinet.com/document/forticlient/7.0.9/windows-release-notes/991883/known-issues
Created on 02-21-2024 01:15 AM Edited on 02-21-2024 01:16 AM
Hi AEK,
First thank you for all your help.
Just fyi, I went even further and removed the "Dynamic_Test_Group" from all policy rules,
yet I'm still getting the extra route once the FortiClient connected, meaning that it is coming from the Portal mapping:
If you removed the "Dynamic_Test_Group" from all policies, you should not be able to connect to the VPN. Please make sure you are connecting to the correct SSLVPN portal. You can check the log to verify that. Also make sure there's no SSLVPN policies with destination=0.0.0.0/0.
Regards,
Created on 02-22-2024 01:19 AM Edited on 02-22-2024 01:20 AM
Hi I thought so also, however even though that the group does not exist in any policy, the VPN connection keep working.
I believe this is a difference in the behavior between static to dynamic portals.
I have upgraded the FortiClient on both Windows and MAC.
For Windows it is now - 7.2.3.0929
For MAC it is now - 7.2.3.0822
After the FortiClient upgrade:
For Windows - the extra default route issue disappeared completely.
For MAC - same issue, the extra route is still added and the internet keep getting blocked.
I think, since the latest FortiClient patch has fixed Windows split tunnel related issue, I think Fortinet will/should do the same for Mac soon.
Try open a ticket to speed up this fix, or they can even send you a quick patch.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.