I am trying to change my current VPN setup but having issues with the new setup, I currently have VPN setup on my FortiGate FGT200F v7.2 cluster with authorisation via Duo two-factor and Active Directory user/groups setup as split tunnel.
I have a single firewall policy and Web filter Policy for inward traffic and a single Firewall policy for outward traffic, so all users get the same filtering.
What I am trying to do is give users a different Web Filter policy based on the Active Directory group they are a member of but my attempts so far are not working.
When I try and create another outward Firewall policy, I get an error that the destination can’t be “All”, my current outward policies destination is set to “All”.
I have done some investigation and I think it’s because I am using a split tunnel VPN? Is it possible to have multiple outward firewall policies with a split tunnel?
Thanks for any advice, I am quite new to FortiGate’s and just learning.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
well splitt tunneling just means that the client that dials in gets routes pushed for all subnets specified in split tunneling plus those are added to the p2 selectors. So traffic from client to those subnets can flow over the tunnel and hit the FGT without changing the default route on client.
What the FortiGate on the opposite Tunnel end then does with the traffic is set by routing and policies. Split tunneling has no effect on these. It only affects p2 selectors plus routing on the client.
Unfortunately you provided too few details for turther diagnosis...
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Hey julianhaines,
the issue would be the destination address 'All'.
With split-tunneling enabled, only specific traffic should go through the VPN tunnel to the FortiGate, and all other traffic should go via the client's default route (not FortiGate). Due to this, FortiGate does not allow the use of 'All' as destination in related policies; if you use the addresses that you configured in split-tunneling settings as destination instead you should have no issues.
You could create an address group, add all addresses from split-tunneling in it, and then use that address group in the appropriate VPN policies.
I'm not certain how you configured the initial policy with destination all - that should not have been possible.
You also should not need policies with destination 'All', as not all traffic will go through the FortiGate anyway.
Hi @julianhaines,
In order to set "ALL" as destination, you will need to disable split-tunneling. Moreover, with we filter issue with specific user/group, you can try with FSSO and use those group as source for your policy:
https://community.fortinet.com/t5/FortiGate/Technical-Tip-FSSO-polling-connector-agent-configuration...
Regards,
Minh
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.