If you enable split-tunnelling in the settings for the SSLVPN web portal, once you try to define a firewall policy for the connection afterwards, I think you will be prohibited from leaving the destination address zeroed. It is not a valid split-tunnelling address. So you could do either-or: leave the web portal and policy destination wide open and split-tunnelling disabled (but then create an ssl.<vdom> to WAN policy to allow Internet access), or else enable split-tunnelling in the Tunnel Mode widget in the SSLVPN web portal, choose a local address range, and make the destination in the policy the same address range.
The tricky part comes in if tunnel-mode users also want to use the web portal for proxied browsing to Internet sites. In that case, the only way I can find to make the scenario work is to create two portals: one Tunnel Mode (split tunnelling) and one Web Only. For the browsing web-only mode connection, you would need a second user account (and/or user group) to authenticate to it, since portal selection is based on authenticated identity. Once in that portal, you could not bring up a split-tunnelling Tunnel Mode connection, but you could browse via the portal proxy. And vice versa, for a tunnel connection, authenticate as the user for the Tunnel Mode portal.
Messy, but it works!