Hello,
I would like to create simple configuration for remote SSL VPN:
I want remote user to use split tunneling only for a few subnets (let's say youtube, office365, teams etc.) and the rest of the traffic should go into the corporate network (through the tunnel).
Actually, I am not able to achieve this goal.
The opposite configuration is straightforward (i.e. the whole remote user' traffic breaks locally and only a few networks go into the tunnel).
Unfortunately, this is not what I need ...
I tried to uses "DENY" rule to exclude particular subnets from being tunneled and allow all the rest. But it didn't seem to work properly.
At the moment in our network we don't use split tunneling at all.
My idea is to only enable it for specific subnets in the Internet (to take some load off the the corporate backbone) and have the rest of the traffic (Internet traffic included) to be inspected by corporate Fortigate.
Please let me know if you have any ideas how to address it.
Firmware I use:
FortiClient 6.2.7 FortiGate - 6.0.11
Regards,
Krzysztof
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi,
Did a quick search now and it seems this functionality was introduced in V6.4:
Hope you have a model that supports the 6.4 branch. :)
Hi,
You can use the following command:
config vpn ssl web portal edit "Split" set tunnel-mode enable set split-tunneling-routing-negate enable set split-tunneling-routing-address "Split-Group-Not-to-Use" The command is only available in FortiOS 6.4
Guys - thanks for your suggestion! It looks like a valid solution.
The only problem is that we probably will not be upgrading to 6.4.4 any time soon.
Unfortunately Fortinet has pretty bad reputation regarding the quality/stability of their newest firmware versions ;-(
At this point I am trying to find a workaround in 6.0.11 (or 6.2.7).
Regards,
Krzysztof
This sounds like a valid option, but im a fortigate noob.
How to negate/exclude address from 'Routing Address' under split tunnel SSL VPN (fortinet.com)
Im such a noob, that i have difficulty to tell if a question is already answered :-}
ForMar wrote:This sounds like a valid option, but im a fortigate noob.
How to negate/exclude address from 'Routing Address' under split tunnel SSL VPN (fortinet.com)
Im such a noob, that i have difficulty to tell if a question is already answered :-}
Hello,
It is good solution by all means. The only issue is that this feature is availably only in the newest firmware version - 6.4 which is not a good option for me
(I need something in 6.0 or 6.2 - hence they are proven to be quite stable in the production).
Regards,
Krzysztof
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.