FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 193073


This article describes how to negate or exclude addresses from 'Routing Address' with SSL-VPN split tunnel SSL-VPN.






The option is only available in the CLI.


config vpn ssl web portal

Description: Portal.
edit <name>

set tunnel-mode [enable|disable]
set split-tunneling [enable|disable]
<-- Once enabled, 'Routing Address' will be visible.
set split-tunneling-routing-negate [enable|disable]
<-- It is necessary to enable this option to exclude the address from 'Routing Address'.
set split-tunneling-routing-address <name1>, <name2>, ...
<-- It is possible to specify the address to exclude from routing.




For example, to exclude office365 access through the tunnel, perform the following steps.

1) Enable 'split tunneling'
2) Enable 'split-tunneling-routing-negate'.
3) Add the address for office365.


Note: while split-tunneling is enabled, the FortiGate will use the policy to determine the subnets to push into the client.
Since it's split-tunnel, it is not possible to use 'all' as a destination in the policy to push the default route.


To fix the 'all' issue, configure a firewall policy with the addresses the user wants to negate as the destination address on the policy and enable 'dstaddr-negate' in the CLI.
Any outgoing traffic will use the policy.


config firewall policy

edit x

set dstaddr-negate enable 




The following FortiClient versions support the split-tunneling-routing-negate feature:
Windows FortiClient v6.4.0 and later.
Mac FortiClient v7.0.1 and later.


Note: The ISDP object will not support split tunneling (such as with Office365, which means it is necessary to manually build an address group and include all of the O365 addresses.)


Related article:

Technical Tip: How to negate/exclude address from 'Routing Address' under split tunnel SSL VPN.