Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jlb_
New Contributor II

FortiSASE - Remote and internal connectivity setup

Hi, I want to know if it is possible to bypass VPN when you are in internal network without using public IP addresses as reference because we have multiple branches using different public IP addresses.

1 Solution
smaruvala

Hi,

 

I think you can try 2 options which we have in the FortiSASE. These options are in Configuration --> Endpoints --> Profile

1. Split tunneling -  Traffic configured as a split tunneling destination considered to be a trusted destination that is excluded from the FortiSASE VPN tunnel and redirected to the endpoint physical interface.

 

2. "Endpoints will not auto connect to VPN from these public IPs" - Endpoints with public IPs matching the configured public IPs are considered trusted or on-net, meaning they are in a corporate network which should have some level of on-premise security and do not need to automatically connect to FortiSASE VPN for security inspection.

 

From your descriptions second one seems to be the option for you.

Please refer:

https://docs.fortinet.com/document/fortisase/latest/administration-guide/209451

 

Regards,

Shiva

View solution in original post

3 REPLIES 3
smaruvala
Staff
Staff

Hi,

 

Can you please provide more information regarding the requirement? Are you talking about the split tunneling for the end users who are connected on SIA? or are you talking about bypassing SPA access?

 

Regards,

Shiva

jlb_
New Contributor II

Hi smaruvala,

I think it's for SPA access but can apply it to SIA access if applicable. The user will not be able to disconnect SASE connection, and if the user are connected to my internal network I can bypass the SASE connection by auto disconnecting it using the trusted public IP address. But if I have multiple branches with different IP addresses, is there a work around?

 

Thanks.

smaruvala

Hi,

 

I think you can try 2 options which we have in the FortiSASE. These options are in Configuration --> Endpoints --> Profile

1. Split tunneling -  Traffic configured as a split tunneling destination considered to be a trusted destination that is excluded from the FortiSASE VPN tunnel and redirected to the endpoint physical interface.

 

2. "Endpoints will not auto connect to VPN from these public IPs" - Endpoints with public IPs matching the configured public IPs are considered trusted or on-net, meaning they are in a corporate network which should have some level of on-premise security and do not need to automatically connect to FortiSASE VPN for security inspection.

 

From your descriptions second one seems to be the option for you.

Please refer:

https://docs.fortinet.com/document/fortisase/latest/administration-guide/209451

 

Regards,

Shiva

Labels
Top Kudoed Authors