Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
jayuk76
New Contributor

SSL-VPN - Can we do this?

Hi

 

We are using the SSL VPN in split tunnel mode

 

So when we are connected all web traffic goes out locally and also company traffic goes through the tunnel.

 

But we want to allow a handful of websites (URLs) to go through the VPN as they are whitelisted.

 

If we could do it based on groups even better but not essential. we do use LDAP integration

 

what is the easiest way to do this?

 

any help is greatly appreciated

 

Jay

 

 

 

 

8 REPLIES 8
Toshi_Esumi
Esteemed Contributor III

We had the same request from one of our customers. But we found out FQDN addresses are not configuratble for the split tunnel. If you know the IP of the FQDN(host name part of URL) doesn't change, you can add them to the routing-address at the portal, which we did.

I think the reason FQDN is not allowed is because once split tunnel is set up when the client got connected, it can't be changed during the tunnel is up even when the address is changed dynamically.

Markus
Valued Contributor

For selective tunnel check [link]https://forum.fortinet.com/m/tm.aspx?m=186161[/link] @toshi with 6.0.9 I was able to route fqdn to split tunnel. Best


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
Markus
Valued Contributor

For selective tunnel check [link]https://forum.fortinet.com/tm.aspx?tree=true&m=186157&mpage=1[/link] @Toshi with 6.0.9 I was able to route FQDN to split tunnel. Best


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
emnoc
Esteemed Contributor III

I highly doubt you could do that without  slectively push routes in the split-tunnel, but you could enable explicit proxy and set the machines to use the fortigate as a proxy, why do you want split-tunnel and then route whitelisted URL thru the firewall? I don't see the logic in that request.

 

If your concern on web-filter for the end-users , deploy a full forticlient and control the end-point would be better regardless if he/she is on the vpn or not, IMHO. Here you can use the FC off-net and with all of the filteroptions with EMS endpoints.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Toshi_Esumi
Esteemed Contributor III

For our customer's case, they had to use one NAT source IP for all users to access some specific Internet services/applications wherever each user might be located.

Toshi_Esumi
Esteemed Contributor III

I was wrong. I just saw in another thread how to do this in GUI. I haven't tested it myself yet but since it's in KB, it should work.

https://kb.fortinet.com/kb/documentLink.do?externalID=FD46248

Basically, don't configure anything at portal, but configure all addresses including FQDN ones in the policy.

jayuk76

thats brilliant - ill give it a go and feedback here

jayuk76
New Contributor

The requirement is because we have a white listed URL that only accepts requests from our Company Public IP

Labels
Top Kudoed Authors