AnsweredHot!Preparing to implement split-tunneling-routing-negate. Any thoughts?

Author
gverharst
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/12/03 09:24:15
  • Status: offline
2021/02/12 14:13:23 (permalink)
0

Preparing to implement split-tunneling-routing-negate. Any thoughts?

We are preparing to implement Split Tunneling for our SSL -VPN users, specifically to include split-tunneling-routing-negate to hopefully exclude Microsoft 365 services from traversing the SSLVPN tunnel and instead go out the local internet connection.
 
We have two (2) Fortigate 101Fs in a HA configuration.  Current firmware is 6.2.4
 
FortiClient versions 6.4.0.1464
 
We will be upgrading our firmware from 6.2.4 to 6.4.3, then from 6.4.3 to 6.4.4 as 6.2.4 does not have the split-tunneling-routing-negate option in the next 7-10 days.  Following the firmware upgrade, we want to implement the split tunnel with routing negate and have found only this Fortinet article documenting basic use. and unfortunately does not include a very detailed example.
 
We plan to implement the following commands:
config vpn ssl web portal
      edit SSLVPN-AllUsers
          set tunnel-mode enable
          set split-tunneling enable
          set split-tunneling-routing-negate enable
          set split-tunneling-routing-address <name1>, <name2>, ... I am not sure what to put here.  I have a run the powershell script from Microsoft to get the current list of all domains / ip addresses.  Should the set split-tunneling-routing-address command look like this:
          set split-tunneling-routing-address 104.146.128.0/17,104.42.230.91/32,104.47.0.0/17,13.107.128.0/22
 
Any help or comments or previous experience trying to implement this would be greatly appreciated.  
 
I originally planed on contacting support for verification, but I thought I would reach out in the Forums first.
 
Thanks for any assistance in advance.
#1
HaTiMuX
Bronze Member
  • Total Posts : 27
  • Scores: 4
  • Reward points: 0
  • Joined: 2017/04/26 07:57:16
  • Status: offline
Re: Preparing to implement split-tunneling-routing-negate. Any thoughts? 2021/02/15 03:49:03 (permalink) ☼ Best Answerby gverharst 2021/02/19 14:10:13
0
Hi,
 
You can specify many networks with the command set split-tunneling-routing-address. For example:
config vpn ssl web portal
edit "Split"
set split-tunneling-routing-negate enable
set split-tunneling-routing-address "Net_1" "Net_2"
 
So in your case create Firewall addresses for Microsoft 365 and then add them using the command.
You can even add all Microsoft 365 addresses to an address group, then use the group with the command split-tunneling-routing-address.
 
post edited by HaTiMuX - 2021/02/15 03:53:32
#2
Jump to:
© 2021 APG vNext Commercial Version 5.5