Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
GersonLestrange
New Contributor II

Created on ‎06-08-2022 10:23 PM

SSL VPN FQDN

Keeping Split Tunneling routing address blank in SSL-VPN portal. be able to use FQDN addresses

so my collaborator's internet goes out through fortigate, or through the internet from his own home?

 

Leaving Split Tunning blank, when checking the IP that the Client is going out to the internet, it is the Company's IP. Is internet traffic going all the way through Fortigate?

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Access-to-Specific-FQDN-using-Split-Tunnel...

Labels:
5567
0 Kudos
2 Solutions
Debbie_FTNT
Staff
Staff
In response to GersonLestrange

Created on ‎06-09-2022 12:51 AM

Hey Gerston,

it seems likely that when you enable split-tunneling but DON'T specify a routing address, all traffic goes through the VPN.

You could check the routing table on your PC.

For Windows for example, open the command prompt and type 'route print'

-> it should include a route with destination 0.0.0.0 and interface your SSLVPN tunnel IP, if all traffic is routed via the VPN

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

5552
pminarik
Staff
Staff
In response to sw2090

Created on ‎06-09-2022 03:50 AM

When the split-route list is left empty, the FortiGate is supposed to automatically generate a list of routes based on the destination address objects in relevant SSL-VPN firewall policies. (I am not sure if it accepts all types of address objects, e.g. IP ranges)

[ corrections always welcome ]

View solution in original post

5542
8 REPLIES 8
Toshi_Esumi
SuperUser
SuperUser

Created on ‎06-08-2022 10:38 PM Edited on ‎06-08-2022 10:40 PM

Not sure it's your statement or question. Checking IP like "What is my IP" at Google doesn't prove the FQDN is working because the test's destination is Google, not the FQDN. You need to traceroute to the FQDN using the same DNS server your FGT is using.

Or just check the routing table at your client machine described in the KB.

 

Toshi

5535
GersonLestrange
New Contributor II
In response to Toshi_Esumi

Created on ‎06-08-2022 10:56 PM

Let me clarify better.

When I'm using Split Tunning in White, if I make a query of my Internet IP, it shows me the IP of the company's wan.

GersonLestrange_0-1654753932043.png

 

When I'm using Split Tunning with addresses in the Routing Address, if I make a query of my Internet IP it shows me the IP of my carrier's wan at home.

GersonLestrange_1-1654754009030.png

 

5532
0 Kudos
GersonLestrange
New Contributor II
In response to Toshi_Esumi

Created on ‎06-08-2022 10:59 PM

Using Split Tunning Blank, is my traffic all going through the VPN?

5532
0 Kudos
Debbie_FTNT
Staff
Staff
In response to GersonLestrange

Created on ‎06-09-2022 12:51 AM

Hey Gerston,

it seems likely that when you enable split-tunneling but DON'T specify a routing address, all traffic goes through the VPN.

You could check the routing table on your PC.

For Windows for example, open the command prompt and type 'route print'

-> it should include a route with destination 0.0.0.0 and interface your SSLVPN tunnel IP, if all traffic is routed via the VPN

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
5553
sw2090
SuperUser
SuperUser

Created on ‎06-09-2022 01:29 AM

I am wondering why FortiOS even allows that setting as it is completely useless to enable split tunneling without setting anything then.

However it seems to thread that as if it were disabled. 

That means with split tunneling on with no setting (or disabled) all traffic will go through the vpn because it will modify your default route.

If you enable split tunneling and set some subnet in there it will not touch your default route but push a route the subnets you specified there.

For that it does not matter wether you use a fqdn or an ip as remote gateway.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
5522
pminarik
Staff
Staff
In response to sw2090

Created on ‎06-09-2022 03:50 AM

When the split-route list is left empty, the FortiGate is supposed to automatically generate a list of routes based on the destination address objects in relevant SSL-VPN firewall policies. (I am not sure if it accepts all types of address objects, e.g. IP ranges)

[ corrections always welcome ]
5543
Toshi_Esumi
SuperUser
SuperUser
In response to pminarik

Created on ‎06-09-2022 08:15 AM

I agree to pminarik. Because we use it for one of our customers. You probably didn't set the SSL-VPN policy correctly. Read the KB again or show us how the policy looks like.

 

Toshi

5506
GersonLestrange
New Contributor II

Created on ‎06-09-2022 07:34 PM

Staff is just that.

When Split Tunning is enabled and is blank. VPN traffic will only be directed to the addresses in the Fortigate VPN Rule.

Any other access that is not in the rule will go through the user's internet.

It adds a 0.0.0.0 route to my interface.
And other routes to the addresses set in the VPN Rule in Fortigate.

The article is perfect.. I did all the simulations and it served the purpose to keep Split Tunning blank.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Access-to-Specific-FQDN-using-Split-Tunnel... 

5487
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.