Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
julianhaines
New Contributor III

Created on ‎11-24-2023 05:06 AM Edited on ‎11-24-2023 05:10 AM

Filtering outbound VPN traffic with Split Tunnel FortiGate 7.2

Below is my current setup to allow remote users to access my network via VPN, at the moment they all get the same Web Filter Policy but want to change so that users get a Web Filter Policy depending on the Group they are a member of, I am doing this with local traffic but cant see how this is done with VPN and Split tunnel.

 

Is this possible with Split Tunnel?

 

SSLVPN_TUNNEL_ADD1 is the DHCP range issued to VPN users, and VPN - Group DUO Radius Servers is the VPN Auth server.

 

Layout Version 2.png

 

 

Labels:
1393
0 Kudos
8 REPLIES 8
hbac
Staff
Staff

Created on ‎11-24-2023 08:26 AM

Hi @julianhaines,

 

If split tunneling is enabled, the destination of the firewall policy can't be all. 

 

Regards, 

1362
0 Kudos
julianhaines
New Contributor III
In response to hbac

Created on ‎11-29-2023 04:30 AM Edited on ‎11-29-2023 04:44 AM

Hi @hbac , thanks for the information, I have taken over the FortiGate from previous IT Admin and in the current outgoing ssl.root to Virtual-Wan-Link the destination is already set to "All" so don't know how this was done. 

 

If I disable Spit-Tunnel what would I change the "All" destination to? would it be 0.0.0.0 or the VPN DHCP range allocated to the VPN users or something else?

1286
0 Kudos
hbac
Staff
Staff
In response to julianhaines

Created on ‎11-29-2023 06:06 AM

@julianhaines,

 

If split-tunneling is disabled, you don't need a firewall policy from ssl.root to Virtual-Wan-Link. You only need policy from ssl.root to lan. 

 

Regards, 

1266
0 Kudos
julianhaines
New Contributor III
In response to hbac

Created on ‎11-29-2023 06:17 AM

Thanks, I want to apply Web Filtering to the VPN users to block certain sites so this is why I thought I need the outgoing rule

1261
0 Kudos
hbac
Staff
Staff
In response to julianhaines

Created on ‎11-29-2023 06:25 AM

@julianhaines,

 

If you want to control VPN users Internet traffic, you need to disable split tunneling and enable webfilter on ssl.root to Virtual-Wan-Link policy. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disabling-Split-Tunnel-configuration/ta-p/...

 

Regards, 

1259
0 Kudos
julianhaines
New Contributor III
In response to hbac

Created on ‎11-29-2023 07:12 AM

@hbac 

Thanks, what would the destination be? would it be 0.0.0.0/0

1253
0 Kudos
hbac
Staff
Staff
In response to julianhaines

Created on ‎11-29-2023 07:16 AM

@julianhaines,

 

The destination should be all for ssl.root to Virtual-Wan-Link policy. 

 

Regards, 

1251
0 Kudos
angus2
New Contributor

Created on ‎11-29-2023 05:09 AM

We wound up scrapping the idea of using EMS to split tunnel. We now have specified LAN networks at the head end on the VPN network, forcing all non-LAN traffic to route elsewhere.

https://19216801.onl/ https://routerlogin.uno/
https://19216801.onl/ https://routerlogin.uno/
1278
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.