Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Arendtsen-BTCS
New Contributor

Created on ‎06-07-2022 01:01 AM

Inverted split tunnel VPN (FortiOS 6.4.6)

Hi,

 

I have gotten a very special request that I can't figure out if is possible by some kind of magic.

What is wanted is that all traffic except MS Teams traffic is routed through the Fortigate and Teams traffic is directly accessed.


It's a Fortigate 200E with firmware 6.4.6 and the free vpn client going over ssl-vpn.

 

Is there any way to achieve this?



FortiGate #Client

Labels:
1360
0 Kudos
1 Solution
vdralio
Staff
Staff

Created on ‎06-07-2022 01:13 AM Edited on ‎06-07-2022 01:14 AM

Hi @Arendtsen-BTCS 

 

Please follow the article below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-tunnel-mode-negating-split-tunneli...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-negate-exclude-address-from-Routing...

 

After enabling the split-tunneling-routing-negate option, it is possible to add the routing-address 'Addr' to be negated either using the GUI or the CLI.
To be noted that when enabling the option, ALL routing-address objects will be negated.

There is no option of using mixed address (negated and un-negated).
 Using ISDB addresses is also not an option.

 

Best Regards,

Vasil

View solution in original post

1355
0 Kudos
3 REPLIES 3
vdralio
Staff
Staff

Created on ‎06-07-2022 01:13 AM Edited on ‎06-07-2022 01:14 AM

Hi @Arendtsen-BTCS 

 

Please follow the article below:

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-SSL-VPN-tunnel-mode-negating-split-tunneli...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-negate-exclude-address-from-Routing...

 

After enabling the split-tunneling-routing-negate option, it is possible to add the routing-address 'Addr' to be negated either using the GUI or the CLI.
To be noted that when enabling the option, ALL routing-address objects will be negated.

There is no option of using mixed address (negated and un-negated).
 Using ISDB addresses is also not an option.

 

Best Regards,

Vasil

1356
0 Kudos
Arendtsen-BTCS
New Contributor
In response to vdralio

Created on ‎06-07-2022 01:16 AM

That is what I suspected. Thank you.

1324
0 Kudos
vdralio
Staff
Staff
In response to Arendtsen-BTCS

Created on ‎06-07-2022 01:19 AM

Dear @Arendtsen-BTCS ,

 

Yes, this has some limitation for the moment.

 

If you want this feature in the FortiGate, you can request it as a new feature.
To submit a request you will need to contact your Sales Engineer. They can take in your request and submit it to development, but this does not guarantee that the new feature will be implemented, it will depend on the demand or need for the feature.
Please update me further.

If you require this feature, this has to be addressed through an NFR.
Please be informed that a New Feature Requests need to be working with the Systems Engineer (SE) that covers your territory.
http://www.fortinet.com/aboutus/locations.html

Alternatively, it can be done through Regional Sales Partner Channel
http://www.fortinet.com/partners/reseller_locator/locator.html

 

Best Regards,

Vasil

1321
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.