Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
gverharst
New Contributor

Preparing to implement split-tunneling-routing-negate. Any thoughts?

We are preparing to implement Split Tunneling for our SSL -VPN users, specifically to include split-tunneling-routing-negate to hopefully exclude Microsoft 365 services from traversing the SSLVPN tunnel and instead go out the local internet connection.

 

We have two (2) Fortigate 101Fs in a HA configuration.  Current firmware is 6.2.4

 

FortiClient versions 6.4.0.1464

 

We will be upgrading our firmware from 6.2.4 to 6.4.3, then from 6.4.3 to 6.4.4 as 6.2.4 does not have the split-tunneling-routing-negate option in the next 7-10 days.  Following the firmware upgrade, we want to implement the split tunnel with routing negate and have found only this Fortinet article documenting basic use. and unfortunately does not include a very detailed example.

 

We plan to implement the following commands:

config vpn ssl web portal       edit SSLVPN-AllUsers           set tunnel-mode enable           set split-tunneling enable           set split-tunneling-routing-negate enable

          set split-tunneling-routing-address <name1>, <name2>, ... I am not sure what to put here.  I have a run the powershell script from Microsoft to get the current list of all domains / ip addresses.  Should the set split-tunneling-routing-address command look like this:

          set split-tunneling-routing-address 104.146.128.0/17,104.42.230.91/32,104.47.0.0/17,13.107.128.0/22

 

Any help or comments or previous experience trying to implement this would be greatly appreciated.  

 

I originally planed on contacting support for verification, but I thought I would reach out in the Forums first.

 

Thanks for any assistance in advance.

1 Solution
HaTiMuX
New Contributor III

Hi,

 

You can specify many networks with the command set split-tunneling-routing-address. For example:

config vpn ssl web portal edit "Split" set split-tunneling-routing-negate enable set split-tunneling-routing-address "Net_1" "Net_2"

 

So in your case create Firewall addresses for Microsoft 365 and then add them using the command.

You can even add all Microsoft 365 addresses to an address group, then use the group with the command split-tunneling-routing-address.

 

View solution in original post

1 REPLY 1
HaTiMuX
New Contributor III

Hi,

 

You can specify many networks with the command set split-tunneling-routing-address. For example:

config vpn ssl web portal edit "Split" set split-tunneling-routing-negate enable set split-tunneling-routing-address "Net_1" "Net_2"

 

So in your case create Firewall addresses for Microsoft 365 and then add them using the command.

You can even add all Microsoft 365 addresses to an address group, then use the group with the command split-tunneling-routing-address.