Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shocko
Contributor

Split Tunnel with SSL VPN and Local Resource Access Prevention

We are using Forticlient EMS 7.2.3 and 7.2.3 and split-tunnel for certain traffic (MS Teams for example). To prevent accessing local services (NAS box for example) we enabled exclusive routing on our Fortigate 7.0.0 as per Enabling SSL VPN Full Tunnel - Fortinet Community. However, we can still access local resources/services. 

1 Solution
pminarik
Staff
Staff

 

Given that "exclusive-routing" is available as an option only when full-tunnel is enabled ("set split-tunneling disable", I would question whether these two options are compatible at all.

 

AFAIK app-based split-tunnel is a local routing decision made by FCT (and configured by EMS), so there's a chance that this completely overrides any routing directives received from FGT.

 

edit: Yes, this is as designed. App-based split-routing disables exclusive-routing. Confirmed internally.

 

edit 2: The community article you referenced is now updated with a note about the incompatibility.

 

edit 3: There is a FortiClient/EMS-specific option to disable local LAN access - <enable_local_lan>, which should work with app-based split routingXML docs reference: https://docs.fortinet.com/document/forticlient/7.2.4/xml-reference-guide/858086/ssl-vpn

[ corrections always welcome ]

View solution in original post

11 REPLIES 11
shocko

2 weeks with support and they say 'this should work' but it doesn't in our case. 

shocko

So we have established with support that this is only possible on IPSEC and not SSL at leats on Forticlient 7.2.4. We are engaged with our account manager and support on why the documentation states otherwise.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the ā€œNominate to Knowledge Baseā€ button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors