We are preparing to implement Split Tunneling for our SSL -VPN users, specifically to include split-tunneling-routing-negate to hopefully exclude Microsoft 365 services from traversing the SSLVPN tunnel and instead go out the local internet connection.
We have two (2) Fortigate 101Fs in a HA configuration. Current firmware is 6.2.4
FortiClient versions 6.4.0.1464
We will be upgrading our firmware from 6.2.4 to 6.4.3, then from 6.4.3 to 6.4.4 as 6.2.4 does not have the split-tunneling-routing-negate option in the next 7-10 days. Following the firmware upgrade, we want to implement the split tunnel with routing negate and have found only this Fortinet article documenting basic use. and unfortunately does not include a very detailed example.
We plan to implement the following commands:
config vpn ssl web portal edit SSLVPN-AllUsers set tunnel-mode enable set split-tunneling enable set split-tunneling-routing-negate enable
set split-tunneling-routing-address <name1>, <name2>, ... I am not sure what to put here. I have a run the powershell script from Microsoft to get the current list of all domains / ip addresses. Should the set split-tunneling-routing-address command look like this:
set split-tunneling-routing-address 104.146.128.0/17,104.42.230.91/32,104.47.0.0/17,13.107.128.0/22
Any help or comments or previous experience trying to implement this would be greatly appreciated.
I originally planed on contacting support for verification, but I thought I would reach out in the Forums first.
Thanks for any assistance in advance.
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
You can specify many networks with the command set split-tunneling-routing-address. For example:
config vpn ssl web portal edit "Split" set split-tunneling-routing-negate enable set split-tunneling-routing-address "Net_1" "Net_2"
So in your case create Firewall addresses for Microsoft 365 and then add them using the command.
You can even add all Microsoft 365 addresses to an address group, then use the group with the command split-tunneling-routing-address.
Hi,
You can specify many networks with the command set split-tunneling-routing-address. For example:
config vpn ssl web portal edit "Split" set split-tunneling-routing-negate enable set split-tunneling-routing-address "Net_1" "Net_2"
So in your case create Firewall addresses for Microsoft 365 and then add them using the command.
You can even add all Microsoft 365 addresses to an address group, then use the group with the command split-tunneling-routing-address.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.