Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
julianhaines
New Contributor

Filtering outbound VPN traffic with Split Tunnel FortiGate 7.2

Below is my current setup to allow remote users to access my network via VPN, at the moment they all get the same Web Filter Policy but want to change so that users get a Web Filter Policy depending on the Group they are a member of, I am doing this with local traffic but cant see how this is done with VPN and Split tunnel.

 

Is this possible with Split Tunnel?

 

SSLVPN_TUNNEL_ADD1 is the DHCP range issued to VPN users, and VPN - Group DUO Radius Servers is the VPN Auth server.

 

Layout Version 2.png

 

 

8 REPLIES 8
hbac
Staff
Staff

Hi @julianhaines,

 

If split tunneling is enabled, the destination of the firewall policy can't be all. 

 

Regards, 

julianhaines

Hi @hbac , thanks for the information, I have taken over the FortiGate from previous IT Admin and in the current outgoing ssl.root to Virtual-Wan-Link the destination is already set to "All" so don't know how this was done. 

 

If I disable Spit-Tunnel what would I change the "All" destination to? would it be 0.0.0.0 or the VPN DHCP range allocated to the VPN users or something else?

hbac

@julianhaines,

 

If split-tunneling is disabled, you don't need a firewall policy from ssl.root to Virtual-Wan-Link. You only need policy from ssl.root to lan. 

 

Regards, 

julianhaines

Thanks, I want to apply Web Filtering to the VPN users to block certain sites so this is why I thought I need the outgoing rule

hbac

@julianhaines,

 

If you want to control VPN users Internet traffic, you need to disable split tunneling and enable webfilter on ssl.root to Virtual-Wan-Link policy. https://community.fortinet.com/t5/FortiGate/Technical-Tip-Disabling-Split-Tunnel-configuration/ta-p/...

 

Regards, 

julianhaines

@hbac 

Thanks, what would the destination be? would it be 0.0.0.0/0

hbac

@julianhaines,

 

The destination should be all for ssl.root to Virtual-Wan-Link policy. 

 

Regards, 

angus2
New Contributor

We wound up scrapping the idea of using EMS to split tunnel. We now have specified LAN networks at the head end on the VPN network, forcing all non-LAN traffic to route elsewhere.

https://19216801.onl/ https://routerlogin.uno/
Top Kudoed Authors