Hello,
I work as a system/server admin at a company that has many branches around the world, which means that most employees are using vpn connections for work purposes.
My problem is some employees are using proxy/vpn mobile apps to access social media sites (like youtube and facebook), and im unable to block these connections since I will be blocking all the vpn connections (tunneling) for all employees, also I cannot block their ips since I done know which ip belongs to which user.
I hope you can help me in going around this issue because its causing alot of problems considering the limited bandwidth that we have.
P.S I am new at this job and still learning about firewall and stuff, so if you are going to answer please be specific :)
Thanks
Solved! Go to Solution.
Hi @mac5,
a good start is the document 'library' here: http://docs.fortinet.com/
I would suggest to get hold of a spare Fortigate device (or download the trial VM from the support portal) and start testing whatever you would like to implement on your corporate devices later on.
Just take a look at your Fortigate device options and there exist multiple options, i.e. geographic addresses, application filters and website category filters which can be used separately or together in your firewall policies.
...and - be aware that when you enable split tunneling on a VPN connection (because this is what may allow traffic to bypass the VPN tunnel) your policies might not apply to some of the traffic ...
Hi @mac5,
a good start is the document 'library' here: http://docs.fortinet.com/
I would suggest to get hold of a spare Fortigate device (or download the trial VM from the support portal) and start testing whatever you would like to implement on your corporate devices later on.
Just take a look at your Fortigate device options and there exist multiple options, i.e. geographic addresses, application filters and website category filters which can be used separately or together in your firewall policies.
...and - be aware that when you enable split tunneling on a VPN connection (because this is what may allow traffic to bypass the VPN tunnel) your policies might not apply to some of the traffic ...
hi @zhunissov4, thanks for replying.
to answer your questions :
1,2) I think most of the branches of not all use the fortigate c300, Im only responsible for the firewall in my branch which is the hq branch.
3) SSL
can you please give me a link on how to do the split tunneling ?
@zhunissov4 thanks for baring with me this long :).
you answered half my question :) , but misunderstood me on the other half.
I want people to be able to access the internet while connected through the vpn, what I wanna do is to only block the vpn/proxy avoidance apps, which allow the user to go around his policy on the firewall and get access to whatever he wants.
You've got the answer already: if the default route (0.0.0.0/0) points to the tunnel, ALL and EVERY traffic is routed to the HQ where you can inspect/filter/block it as you like. The means to do this is called 'split tunneling' - if you disable s-t, all traffic is going to the SSLVPN server / HQ.
You can check this behavior by looking at the routing table on the client running FortiClient SSL ('route print').
I would recommend not using the SSLVPN portal but SSLVPN tunnel mode, just to support any traffic. The portal uses several proxies for HTTP, HTTPS etc. but will not support custom services (like VNC, ping,...).
@mac5 ( [<font][<font] I want people to be able to access the internet while they are connected via VPN, what I want to do is not that VPN / proxy evolution applications, which make it easier to use the policy on the app. -fire. ) post-word how your answer to this question I have the same problem as you. Thank you for answering me
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2678 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.