Preparing to implement split-tunneling-routing-negate. Any thoughts?
We are preparing to implement Split Tunneling for our SSL -VPN users, specifically to include split-tunneling-routing-negate to hopefully exclude Microsoft 365 services from traversing the SSLVPN tunnel and instead go out the local internet connection.
We have two (2) Fortigate 101Fs in a HA configuration. Current firmware is 6.2.4
FortiClient versions 126.96.36.1994
We will be upgrading our firmware from 6.2.4 to 6.4.3, then from 6.4.3 to 6.4.4 as 6.2.4 does not have the split-tunneling-routing-negate option in the next 7-10 days. Following the firmware upgrade, we want to implement the split tunnel with routing negate and have found only this Fortinet article documenting basic use. and unfortunately does not include a very detailed example.
We plan to implement the following commands:
config vpn ssl web portal
set tunnel-mode enable
set split-tunneling enable
set split-tunneling-routing-negate enable
set split-tunneling-routing-address <name1>, <name2>, ... I am not sure what to put here. I have a run the powershell script from Microsoft to get the current list of all domains / ip addresses. Should the set split-tunneling-routing-address command look like this:
set split-tunneling-routing-address 188.8.131.52/17,184.108.40.206/32,220.127.116.11/17,18.104.22.168/22
Any help or comments or previous experience trying to implement this would be greatly appreciated.
I originally planed on contacting support for verification, but I thought I would reach out in the Forums first.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.