I have two SSL-VPN Portals on my Fortigate running FortiOS 6.4.11, a split one which should only push routes to destinations in the firewall policies, and a no-split tunnel over which all traffic should be routed. The intention is that on the split tunnel, internet access should be routed over a users own internet connection rather than the VPN.
The second one is a non-split tunnel which should route all traffic over the VPN. However, people wanted to have internet access on the split-vpn tunnel as well and therefore a firewall policy was created that allows all traffic coming from the sslvpn interfaces to the internet.
Both portals are using the same IP address pool and user group.
However, it appears that on the split tunnel internet access is routed over the SSLVPN as well. Is this caused by the above described firewall policy? And what is the best way to circumvent this as this is obviously not desirable?
If you have split-tunnel enabled, FortiGate will push subnets to the client based on firewall policy - which subnets are in destination. However, with split-tunnel, FortiGate will not allow to add you "all" as destination address so I don't think all the internet traffic is routed via FortiGate. I would verify how does routing-table on clients look like with split-tunnel enabled.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.