Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

VPN Profile Selection

Is it possible for users to select different VPN profiles upon connection? ie present a split tunnel and full route option...ideally I would like to tunnel everything for logging and protection purposes but there is some mgmt concern, yet they want to offer full routing for starbucks, public hotspots, etc...the concern is large items like microsoft updates, etc...

Contributor III

Yes, in a Fortinet FortiGate environment, it's possible to configure multiple VPN profiles that users can select from, depending on their needs. You can set up different profiles to handle various scenarios, such as split tunneling (where only specific traffic is routed through the VPN) and full tunneling (where all traffic is routed through the VPN).

Here's a general outline of how you might accomplish this:

### 1. Define Different VPN Profiles
Create multiple VPN profiles within the FortiGate to cater to different scenarios. For instance:
- **Full Tunnel Profile**: This profile would route all traffic through the VPN, providing maximum security and logging.
- **Split Tunnel Profile**: This profile would only route specific traffic (e.g., corporate resources) through the VPN, allowing other traffic to bypass the VPN. This could be useful for large downloads like Microsoft updates.

### 2. Configure SSL VPN Portals
Set up different SSL VPN portals for each profile. Users will be able to choose the appropriate portal based on their needs.

### 3. Configure Group Policies
You might also want to define different group policies for different user roles, determining who has access to which VPN profiles.

### 4. Educate Users
Make sure users are aware of the different profiles and when to use them. You might need to create some documentation or training to ensure that they make the right choice for their situation.

### 5. Monitor and Log Traffic
Since one of your goals is logging and protection, make sure to configure appropriate logging for both profiles to keep track of what's happening on the network.

### Considerations
- **Security**: Full tunneling offers more control and security, but it might not always be practical. Split tunneling could expose risks if not configured correctly.
- **Performance**: Full tunneling can put more load on your VPN servers, especially if users are downloading large files like OS updates.
- **User Experience**: Offering multiple profiles provides flexibility but can also add complexity for the users. Clear guidelines and support can mitigate this.

Remember, configuring VPNs is a complex task that requires careful consideration of your specific needs and the security implications of different configurations. It may be beneficial to consult with a network security expert or refer to the FortiGate documentation to ensure that you're configuring these options in a way that meets your organization's requirements.

New Contributor

many thanks, I was able to build separate profiles and attach to the user groups...however upon connection with the Fortinet client, I am not prompted for any selection


Yes, this does not work. You already define this on the Fortigate.

New Contributor

so just to confirm, users can not select the profile via the client upon connection...sounds like a nice compromise would tunnel everything except known locations like windows update

Esteemed Contributor III

If you don't want for one user to have two different usernames, you need to set up "realm" then let the user to chose which realm to connect to, like to or, like below:




interesting concept...will have to look into that and play around this weekend (yeah I get bored easily)

Esteemed Contributor III

It would be a fun small project you won't get bored for sure :)