Hi
We are using the SSL VPN in split tunnel mode
So when we are connected all web traffic goes out locally and also company traffic goes through the tunnel.
But we want to allow a handful of websites (URLs) to go through the VPN as they are whitelisted.
If we could do it based on groups even better but not essential. we do use LDAP integration
what is the easiest way to do this?
any help is greatly appreciated
Jay
We had the same request from one of our customers. But we found out FQDN addresses are not configuratble for the split tunnel. If you know the IP of the FQDN(host name part of URL) doesn't change, you can add them to the routing-address at the portal, which we did.
I think the reason FQDN is not allowed is because once split tunnel is set up when the client got connected, it can't be changed during the tunnel is up even when the address is changed dynamically.
________________________________________________________
--- NSE 4 ---
________________________________________________________
________________________________________________________
--- NSE 4 ---
________________________________________________________
I highly doubt you could do that without slectively push routes in the split-tunnel, but you could enable explicit proxy and set the machines to use the fortigate as a proxy, why do you want split-tunnel and then route whitelisted URL thru the firewall? I don't see the logic in that request.
If your concern on web-filter for the end-users , deploy a full forticlient and control the end-point would be better regardless if he/she is on the vpn or not, IMHO. Here you can use the FC off-net and with all of the filteroptions with EMS endpoints.
Ken Felix
PCNSE
NSE
StrongSwan
For our customer's case, they had to use one NAT source IP for all users to access some specific Internet services/applications wherever each user might be located.
I was wrong. I just saw in another thread how to do this in GUI. I haven't tested it myself yet but since it's in KB, it should work.
https://kb.fortinet.com/kb/documentLink.do?externalID=FD46248
Basically, don't configure anything at portal, but configure all addresses including FQDN ones in the policy.
thats brilliant - ill give it a go and feedback here
The requirement is because we have a white listed URL that only accepts requests from our Company Public IP
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.