Below is my current setup to allow remote users to access my network via VPN, at the moment they all get the same Web Filter Policy but want to change so that users get a Web Filter Policy depending on the Group they are a member of, I am doing this with local traffic but cant see how this is done with VPN and Split tunnel.
Is this possible with Split Tunnel?
SSLVPN_TUNNEL_ADD1 is the DHCP range issued to VPN users, and VPN - Group DUO Radius Servers is the VPN Auth server.
Hi @julianhaines,
If split tunneling is enabled, the destination of the firewall policy can't be all.
Regards,
Created on 11-29-2023 04:30 AM Edited on 11-29-2023 04:44 AM
Hi @hbac , thanks for the information, I have taken over the FortiGate from previous IT Admin and in the current outgoing ssl.root to Virtual-Wan-Link the destination is already set to "All" so don't know how this was done.
If I disable Spit-Tunnel what would I change the "All" destination to? would it be 0.0.0.0 or the VPN DHCP range allocated to the VPN users or something else?
If split-tunneling is disabled, you don't need a firewall policy from ssl.root to Virtual-Wan-Link. You only need policy from ssl.root to lan.
Regards,
Thanks, I want to apply Web Filtering to the VPN users to block certain sites so this is why I thought I need the outgoing rule
If you want to control VPN users Internet traffic, you need to disable split tunneling and enable webfilter on ssl.root to Virtual-Wan-Link policy. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disabling-Split-Tunnel-configuration/ta-p/...
Regards,
Thanks, what would the destination be? would it be 0.0.0.0/0
We wound up scrapping the idea of using EMS to split tunnel. We now have specified LAN networks at the head end on the VPN network, forcing all non-LAN traffic to route elsewhere.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.