FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ppatel
Staff
Staff

Description
This article describes how we to negate/exclude address from 'Routing Address' under Split tunnel SSL VPN.

Solution
The option is only available via CLI.

Portal.

# config vpn ssl web portal
      Description: Portal.
      edit <name>
          set tunnel-mode [enable|disable]
          set split-tunneling [enable|disable]                        <----- Once enabled, 'Routing Address' will be visible.
          set split-tunneling-routing-negate [enable|disable]         <----- It is necessary to enable this option to exclude the address from 'Routing Address'.
          set split-tunneling-routing-address <name1>, <name2>, ...   <----- It is possible to specify the address to exclude from routing

end


********************************************************************

Example.
To exclude office365 to access via tunnel.

Solution.

1) Enable 'split tunneling'
2) Enable 'split-tunneling-routing-negate'.
3) Add the address for office365.

Note: while enabling split-tunneling the Fortigate will use the policy in order to know the subnets to push into the client.
Since it's split-tunnel, it is not possible to use 'all' as destination in the policy to push the default route.

For Windows machines, FortiClient v6.4.0 and later supports split-tunneling-routing-negate feature.

Internal Notes
FortiClient 6.4 or newer is required


Related Articles

Technical Tip: How to negate/exclude address from 'Routing Address' under split tunnel SSL VPN

Contributors