Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MDIT
New Contributor II

SSL VPN Split Tunnel - Send Some Internet Traffic to FortiGate

FortiOS 6.0.9 on a cluster of 300Es.

 

SSL VPN configured and being used by staff working remotely.  Everything works great.  Users have FortiClient installed and we have EMS server managing that side of things as well.

 

We have some internet-based applications which we use, which are IP-restricted, so the users have to access them via our internal internet breakout.  With the VPN, all internet traffic is egressing locally to the user, so the IPs are not whitelisted (nor do we want them to be), so users are having to log into Citrix to access the web applications from inside the business.

 

Is there a way to force traffic to certain internet IPs to traverse the tunnel and therefore breakout in the office rather than the users internet?

3 REPLIES 3
Markus
Valued Contributor

Yes, this is easy to achieve... Check https://docs.fortinet.com...tunnel-for-remote-user

it's for 6.2, but also good for 6.0.9

if you need for different user or profiles (split/no split), also see https://forum.fortinet.com/tm.aspx?tree=true&m=186161&mpage=1


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
sw2090

hm that would require your client to get a route for this service pushed. Otherwise that traffic will use the default route.

The problem is that if the service uses an FQDN it may have more than one ip (and not all in the same subnet mostly) so you would need to find all of them and push a route for them.

The only other way I see is to disable split tunneling at all to have all traffic go over the vpn.

That is if it is limited to your WAN IP(s). We have one servie that is but that's only used from within the shops.

 

If there is services limited to your company subnet you could do SNAT with e.g. an ip pool.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Markus
Valued Contributor

Good point, I had the same problem with some Azure (also FQDN) services (whitelist from Pat IP). I then create a FQDN address object and put this in the split tunnel address group. This is working for me (FG501E with FOS 6.0.9).


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors