Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Domsi
New Contributor

SSL VPN - Split Tunneling

Hi. I have a FortiGate 100F which I have configured for SSL-VPN in "Tunnel-Mode" (also configured a policy) > which is working. Now I would like to set up "Split Tunneling" > I have enabled it and set up the routing addresses. Now the issue is, that I can only connect to the "MGMT-IP-Address" if I set the outgoing-interface to "any". I have attached a screenshot of the VPN policy. If it is configured like in the screenshot, then I'm able to connect to the "MGMT-IP-Address" for remote managment over VPN. "Security Fabric" marks this as "failed".

 

But I can't select "MGMT" as interface in the policy rules, it is not appearing in the list of interfaces. If add all available interfaces (execpt "any") to the "outgoing interface" then I'm not able to connect to the "MGMT-IP-Address" with VPN.

 

For the MGMT-IP-Address I have created a "firewall address", which I have added to the "routing addresses":

 

config firewall address     edit "VPN-MGMT"         set uuid e79017f6-4b1f-51ea-b3bb-a7dd0f696a51         set subnet 192.168.99.0 255.255.255.0     next end

 

As explained, it is working with "outgoing interface = any" of the policy - but the "Security Fabric" marks "failed" and I can't set up this Interface/IP on the outgoing interface. Can I ignore the Security Fabric for this case? I suppose not, but no I'm wondering how I can connect to the "MGMT-IP-Address".

1 Solution
sw2090

well hm the dedicated-to-mgmt is a fortios factory default setting. If you don't nbeed a dedicated mgmt interface (like we don't need one because we have a mgmtm vlan for this purpose) you could unset this and use the port for other purposes. It then behaves like any other port does.

 

For your policy you would have to set src to the subnet that is on your tunnel. You should have configured a client ip range on that tunnel. So traffic from client will come in with an ip out of this range.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
8 REPLIES 8
sw2090
SuperUser
SuperUser

hm is that mgmt interface part of a zone or trunk or switch? In this cae it is not shown anymore in the selection drop down. You would have to use zone/trunk/switch interface then instead.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Domsi
New Contributor

No, non of these three. There was only enabled "DCHP", I have disabled it now. Verifing the GUI > Ref = 0.

sw2090

hm afair it could also be due to the role the interface is set to have. The Role also affects some INterface feature.

is your MGMT dedicated to role management or similar?

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
ShawnZA

Can one still use the dedicated Mng interfaces for normal traffic, think that was removed or not?

You should have created a Management VDOM and assign the dedicated management interface to that vdom only

sw2090

hm never tried to since I don't need no dedicated management interface. We're using vlans for that...

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Domsi
New Contributor

It looks like is not appearing because of the "dedicated-to management" setting. It is described there: https://kb.fortinet.com/kb/documentLink.do?externalID=FD37035

 

t prevents to create Firewall policy using an interface configured with this setting.

 

The site also shows that it should appear as connected route in the routing table - but this entry is missing (enabling, disabling the "dedicated-to management" does not help).

 

The interface is in the "role = LAN"

 

    edit "mgmt"         set vdom "root"         set ip 192.168.99.99 255.255.255.0         set allowaccess ping https fgfm         set type physical         set dedicated-to management         set role lan         set snmp-index 2     next

 

BUT no I have found out that this is not related to "Split Tunneling". If I disable the "Split Tunneling" the same issue appears > I can only connect to MGMT-Interface if policy is set to "any". So I have to decide If if ignore the warning of the "Security Fabric" or I disable the "dedicated-to management"?? But what is the drawback if I disable the "dedicated-to management"?

sw2090

well hm the dedicated-to-mgmt is a fortios factory default setting. If you don't nbeed a dedicated mgmt interface (like we don't need one because we have a mgmtm vlan for this purpose) you could unset this and use the port for other purposes. It then behaves like any other port does.

 

For your policy you would have to set src to the subnet that is on your tunnel. You should have configured a client ip range on that tunnel. So traffic from client will come in with an ip out of this range.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Domsi
New Contributor

Thank you for your anwser. I had before only a FortiGate 60D without a dedicated management port, and now i though this MGMT-Interface is fixed and I can only manage the FortiGate with this port/ip-address.

 

Because you have written that you are using a mgmt-vlan and I can use the MGMT interface as the others internal interfaces, i realized that I'm not tied to the MGMT-Interface... Then I have seen that this was done on the 60D with the "FMG-Access"...

 

So in this case I can create also a MGMT-VLAN, and then I can adjust the policy as needed.

 

 

Labels
Top Kudoed Authors