Helpful ReplyHot!SSL VPN - Split Tunneling

Author
Domsi
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/11 05:42:53
  • Status: offline
2020/02/25 10:51:30 (permalink)
0

SSL VPN - Split Tunneling

Hi.

I have a FortiGate 100F which I have configured for SSL-VPN in "Tunnel-Mode" (also configured a policy) > which is working. Now I would like to set up "Split Tunneling" > I have enabled it and set up the routing addresses.

Now the issue is, that I can only connect to the "MGMT-IP-Address" if I set the outgoing-interface to "any". I have attached a screenshot of the VPN policy. If it is configured like in the screenshot, then I'm able to connect to the "MGMT-IP-Address" for remote managment over VPN. "Security Fabric" marks this as "failed".
 
But I can't select "MGMT" as interface in the policy rules, it is not appearing in the list of interfaces. If add all available interfaces (execpt "any") to the "outgoing interface" then I'm not able to connect to the "MGMT-IP-Address" with VPN.
 
For the MGMT-IP-Address I have created a "firewall address", which I have added to the "routing addresses":
 
config firewall address
    edit "VPN-MGMT"
        set uuid e79017f6-4b1f-51ea-b3bb-a7dd0f696a51
        set subnet 192.168.99.0 255.255.255.0
    next
end

 
As explained, it is working with "outgoing interface = any" of the policy - but the "Security Fabric" marks "failed" and I can't set up this Interface/IP on the outgoing interface.

Can I ignore the Security Fabric for this case? I suppose not, but no I'm wondering how I can connect to the "MGMT-IP-Address".


Attached Image(s)

#1
sw2090
Platinum Member
  • Total Posts : 551
  • Scores: 39
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: SSL VPN - Split Tunneling 2020/02/25 23:43:29 (permalink)
0
hm is that mgmt interface part of a zone or trunk or switch? In this cae it is not shown anymore in the selection drop down. You would have to use zone/trunk/switch interface then instead.
#2
Domsi
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/11 05:42:53
  • Status: offline
Re: SSL VPN - Split Tunneling 2020/02/26 00:27:09 (permalink)
0
No, non of these three. There was only enabled "DCHP", I have disabled it now. Verifing the GUI > Ref = 0.
#3
sw2090
Platinum Member
  • Total Posts : 551
  • Scores: 39
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: SSL VPN - Split Tunneling 2020/02/26 04:12:48 (permalink)
0
hm afair it could also be due to the role the interface is set to have. The Role also affects some INterface feature.
is your MGMT dedicated to role management or similar?
#4
ShawnZA
Silver Member
  • Total Posts : 90
  • Scores: 11
  • Reward points: 0
  • Joined: 2018/04/02 23:31:22
  • Location: Cape Town
  • Status: offline
Re: SSL VPN - Split Tunneling 2020/02/26 04:42:51 (permalink)
0
Can one still use the dedicated Mng interfaces for normal traffic, think that was removed or not?
You should have created a Management VDOM and assign the dedicated management interface to that vdom only
post edited by ShawnZA - 2020/02/26 04:50:06
#5
sw2090
Platinum Member
  • Total Posts : 551
  • Scores: 39
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: SSL VPN - Split Tunneling 2020/02/26 04:50:53 (permalink)
0
hm never tried to since I don't need no dedicated management interface. We're using vlans for that...
#6
Domsi
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/11 05:42:53
  • Status: offline
Re: SSL VPN - Split Tunneling 2020/02/26 05:45:51 (permalink)
0
It looks like is not appearing because of the "dedicated-to management" setting. It is described there: https://kb.fortinet.com/kb/documentLink.do?externalID=FD37035
 
t prevents to create Firewall policy using an interface configured with this setting.

 
The site also shows that it should appear as connected route in the routing table - but this entry is missing (enabling, disabling the "dedicated-to management" does not help).
 
The interface is in the "role = LAN"
 
    edit "mgmt"
        set vdom "root"
        set ip 192.168.99.99 255.255.255.0
        set allowaccess ping https fgfm
        set type physical
        set dedicated-to management
        set role lan
        set snmp-index 2
    next

 
BUT no I have found out that this is not related to "Split Tunneling". If I disable the "Split Tunneling" the same issue appears > I can only connect to MGMT-Interface if policy is set to "any".

So I have to decide If if ignore the warning of the "Security Fabric" or I disable the "dedicated-to management"?? But what is the drawback if I disable the "dedicated-to management"?
#7
sw2090
Platinum Member
  • Total Posts : 551
  • Scores: 39
  • Reward points: 0
  • Joined: 2017/06/14 01:27:25
  • Location: Regensburg
  • Status: offline
Re: SSL VPN - Split Tunneling 2020/02/26 06:09:31 (permalink) ☄ Helpfulby Domsi 2020/02/26 09:12:10
0
well hm the dedicated-to-mgmt is a fortios factory default setting. If you don't nbeed a dedicated mgmt interface (like we don't need one because we have a mgmtm vlan for this purpose) you could unset this and use the port for other purposes. It then behaves like any other port does.
 
For your policy you would have to set src to the subnet that is on your tunnel. You should have configured a client ip range on that tunnel. So traffic from client will come in with an ip out of this range.
#8
Domsi
New Member
  • Total Posts : 15
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/05/11 05:42:53
  • Status: offline
Re: SSL VPN - Split Tunneling 2020/02/26 09:22:39 (permalink)
0
Thank you for your anwser. I had before only a FortiGate 60D without a dedicated management port, and now i though this MGMT-Interface is fixed and I can only manage the FortiGate with this port/ip-address.
 
Because you have written that you are using a mgmt-vlan and I can use the MGMT interface as the others internal interfaces, i realized that I'm not tied to the MGMT-Interface... Then I have seen that this was done on the 60D with the "FMG-Access"...
 
So in this case I can create also a MGMT-VLAN, and then I can adjust the policy as needed.
 
 
#9
Jump to:
© 2020 APG vNext Commercial Version 5.5