Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Route specific public domain for SSL VPN split tunnel

Is there any possible to route the public domain for example going via firewall outgoing interface? For example SSL VPN user trying to access, then fortigate will redirect the traffic via outgoing interface, else other traffic will exit SSL VPN users default gateway.

Valued Contributor

Of course, you just have to include that in the split tunnel routing the same way you would for other LAN traffic.  In our particular case, I leave the split tunnel config blank and let the firewall build the split tunnel list by what policies are allowed.  If you do this the same, you simply need a policy to that destination with the appropriate users going from the ssl.root to the wan.  You can add more destinations as needed.


what if some domains using dynamic public ip addresss with load balancer? for example nslookup, will resolved 2 ip addresses,, and then after few hours change it to and I can't keep monitoring the ip address and add it into fortigate firewall right?


Why not use an FQDN address object so that it keeps up with those changes dynamically?  I assumed that's what you intended to do in the first place.

New Contributor



did you solve the issue?


I am looking for a solution.

Thank you


New Contributor III

I’ve been trying to solve the same issue, however what I’ve encountered (even with a FQDN objekt) only the first IP that the FortiOS resolves is passed to the FortiClients = to the PC’s local routing table. Viewing the routing table of a PC with the CMD command: Route PRINT, will also only list one. At this point I think it’s a limitation of the “tunnel-VPN”.
Kind regards
Kind regards
Top Kudoed Authors