Preparing to implement split-tunneling-routing-negate. Any thoughts?
We are preparing to implement Split Tunneling for our SSL -VPN users, specifically to include split-tunneling-routing-negate to hopefully exclude Microsoft 365 services from traversing the SSLVPN tunnel and instead go out the local internet connection.
We have two (2) Fortigate 101Fs in a HA configuration. Current firmware is 6.2.4
FortiClient versions 220.127.116.114
We will be upgrading our firmware from 6.2.4 to 6.4.3, then from 6.4.3 to 6.4.4 as 6.2.4 does not have the split-tunneling-routing-negate option in the next 7-10 days. Following the firmware upgrade, we want to implement the split tunnel with routing negate and have found only this Fortinet article
documenting basic use. and unfortunately does not include a very detailed example.
We plan to implement the following commands:config vpn ssl web portal edit SSLVPN-AllUsers set tunnel-mode enable set split-tunneling enable set split-tunneling-routing-negate enable set split-tunneling-routing-address <name1>, <name2>, ... I am not sure what to put here. I have a run the powershell script from Microsoft to get the current list of all domains / ip addresses. Should the set split-tunneling-routing-address command look like this: set split-tunneling-routing-address 18.104.22.168/17,22.214.171.124/32,126.96.36.199/17,188.8.131.52/22 Any help or comments or previous experience trying to implement this would be greatly appreciated. I originally planed on contacting support for verification, but I thought I would reach out in the Forums first. Thanks for any assistance in advance.