Keeping Split Tunneling routing address blank in SSL-VPN portal. be able to use FQDN addresses
so my collaborator's internet goes out through fortigate, or through the internet from his own home?
Leaving Split Tunning blank, when checking the IP that the Client is going out to the internet, it is the Company's IP. Is internet traffic going all the way through Fortigate?
Solved! Go to Solution.
Hey Gerston,
it seems likely that when you enable split-tunneling but DON'T specify a routing address, all traffic goes through the VPN.
You could check the routing table on your PC.
For Windows for example, open the command prompt and type 'route print'
-> it should include a route with destination 0.0.0.0 and interface your SSLVPN tunnel IP, if all traffic is routed via the VPN
When the split-route list is left empty, the FortiGate is supposed to automatically generate a list of routes based on the destination address objects in relevant SSL-VPN firewall policies. (I am not sure if it accepts all types of address objects, e.g. IP ranges)
Not sure it's your statement or question. Checking IP like "What is my IP" at Google doesn't prove the FQDN is working because the test's destination is Google, not the FQDN. You need to traceroute to the FQDN using the same DNS server your FGT is using.
Or just check the routing table at your client machine described in the KB.
Toshi
Let me clarify better.
When I'm using Split Tunning in White, if I make a query of my Internet IP, it shows me the IP of the company's wan.
When I'm using Split Tunning with addresses in the Routing Address, if I make a query of my Internet IP it shows me the IP of my carrier's wan at home.
Using Split Tunning Blank, is my traffic all going through the VPN?
Hey Gerston,
it seems likely that when you enable split-tunneling but DON'T specify a routing address, all traffic goes through the VPN.
You could check the routing table on your PC.
For Windows for example, open the command prompt and type 'route print'
-> it should include a route with destination 0.0.0.0 and interface your SSLVPN tunnel IP, if all traffic is routed via the VPN
I am wondering why FortiOS even allows that setting as it is completely useless to enable split tunneling without setting anything then.
However it seems to thread that as if it were disabled.
That means with split tunneling on with no setting (or disabled) all traffic will go through the vpn because it will modify your default route.
If you enable split tunneling and set some subnet in there it will not touch your default route but push a route the subnets you specified there.
For that it does not matter wether you use a fqdn or an ip as remote gateway.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
When the split-route list is left empty, the FortiGate is supposed to automatically generate a list of routes based on the destination address objects in relevant SSL-VPN firewall policies. (I am not sure if it accepts all types of address objects, e.g. IP ranges)
I agree to pminarik. Because we use it for one of our customers. You probably didn't set the SSL-VPN policy correctly. Read the KB again or show us how the policy looks like.
Toshi
Staff is just that.
When Split Tunning is enabled and is blank. VPN traffic will only be directed to the addresses in the Fortigate VPN Rule.
Any other access that is not in the rule will go through the user's internet.
It adds a 0.0.0.0 route to my interface.
And other routes to the addresses set in the VPN Rule in Fortigate.
The article is perfect.. I did all the simulations and it served the purpose to keep Split Tunning blank.
User | Count |
---|---|
2677 | |
1412 | |
810 | |
703 | |
455 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.