This article shows the steps to enable split tunneling feature and route only internal traffic via tunnel.
In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate.
Without split tunneling, all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the user’s PC and the head office FortiGate unit.
Connections to the Internet are routed back out the head office FortiGate unit to the Internet. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user.
Create internal subnet address object range as shown below:
Go to Policy & Objects > Addresses
Select 'Create New' and add the head office server address:
#config firewall addressVia GUI:
set subnet 10.129.0.0 255.255.254.0
#config vpn ssl web portal
set ip-pools "SSLVPN_TUNNEL_ADDR1"
set split-tunneling-routing-address "Internal_subnet"
With this configuration, the prefix defined as 'Internal subnet' will be pushed to the client and a static route will be added via the tunnel interface.
If the routing Address field is left blank, then the destination subnet configured in the firewall policy that allows the traffic from the ssl tunnel interface and the user/user group, will be pushed to the client. Configuring an Internet Service as destination in the firewall policy will not push the whole list of IP addresses containing in that particular Internet Service. It will pus a default route.
If both are configured, the "Routing Address" defined in the SSL-VPN portal takes precedence over the one configured in the firewall policy as destination.
# config firewall policyedit 0set srcintf "ssl.root"set dstintf "port1"set srcaddr "SSLVPN_TUNNEL_ADDR1"set dstaddr "all" <-- 0.0.0.0/0set action acceptset schedule "always"set service "ALL"set logtraffic allnextEnd
SSL VPN policies without user/group allocation are used for all SSL-VPN tunnel connections.