Hot!SSL VPN split tunneling issue - how to enable split tunneling only for a few subnets?

Author
krzysztof
New Member
  • Total Posts : 3
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/02/15 01:16:57
  • Status: offline
2021/02/15 01:51:58 (permalink)
0

SSL VPN split tunneling issue - how to enable split tunneling only for a few subnets?

Hello,
 
I would like to create simple configuration for remote SSL VPN:
I want remote user to use split tunneling only for a few subnets (let's say youtube, office365, teams etc.) and the rest of the traffic should go into the corporate network (through the tunnel).
 
Actually, I am not able to achieve this goal.
The opposite configuration is straightforward (i.e. the whole remote user' traffic breaks locally and only a few networks go into the tunnel).
Unfortunately, this is not what I need ...
 
I tried to uses "DENY" rule to exclude particular subnets from being tunneled and allow all the rest. But it didn't seem to work properly.
 
At the moment in our network we don't use split tunneling at all.
My idea is to only enable it for specific subnets in the Internet (to take some load off the the corporate backbone) and have the rest of the traffic (Internet traffic included) to be inspected by corporate Fortigate.
 
Please let me know if you have any ideas how to address it.
 
Firmware I use:
FortiClient 6.2.7
FortiGate - 6.0.11
 
Regards,
Krzysztof
 
 
 
 
#1

5 Replies Related Threads

    waltvs
    New Member
    • Total Posts : 2
    • Scores: 2
    • Reward points: 0
    • Joined: 2021/02/15 03:22:06
    • Status: offline
    Re: SSL VPN split tunneling issue - how to enable split tunneling only for a few subnets? 2021/02/15 03:49:48 (permalink)
    0
    Hi,
     
    Did a quick search now and it seems this functionality was introduced in V6.4: 
     
    https://docs.fortinet.com/document/forticlient/6.4.0/new-features/234887/application-based-split-tunnel-6-4-1
     
    Hope you have a model that supports the 6.4 branch. :-)
    #2
    HaTiMuX
    Bronze Member
    • Total Posts : 27
    • Scores: 4
    • Reward points: 0
    • Joined: 2017/04/26 07:57:16
    • Status: offline
    Re: SSL VPN split tunneling issue - how to enable split tunneling only for a few subnets? 2021/02/15 04:04:57 (permalink)
    0
    Hi,
     
    You can use the following command:
     
    config vpn ssl web portal
    edit "Split"
    set tunnel-mode enable
    set split-tunneling-routing-negate enable
    set split-tunneling-routing-address "Split-Group-Not-to-Use"

    The command is only available in FortiOS 6.4
     
    Ref: https://kb.fortinet.com/k....do?externalID=FD49267
    post edited by HaTiMuX - 2021/02/15 04:06:09
    #3
    krzysztof
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/02/15 01:16:57
    • Status: offline
    Re: SSL VPN split tunneling issue - how to enable split tunneling only for a few subnets? 2021/02/16 02:23:07 (permalink)
    0
    Guys - thanks for your suggestion! It looks like a valid solution.
     
    The only problem is that we probably will not be upgrading to 6.4.4 any time soon.
    Unfortunately Fortinet has pretty bad reputation regarding the quality/stability of their newest firmware versions ;-(
     
    At this point I am trying to find a workaround in 6.0.11 (or 6.2.7).
     
    Regards,
    Krzysztof
    #4
    ForMar
    New Member
    • Total Posts : 9
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/01/26 01:35:42
    • Status: offline
    Re: SSL VPN split tunneling issue - how to enable split tunneling only for a few subnets? 2021/02/17 08:31:14 (permalink)
    0
    This sounds like a valid option, but im a fortigate noob.
    How to negate/exclude address from 'Routing Address' under split tunnel SSL VPN (fortinet.com)
     
     
    Im such a noob, that i have difficulty to tell if a question is already answered :-}
    #5
    krzysztof
    New Member
    • Total Posts : 3
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/02/15 01:16:57
    • Status: offline
    Re: SSL VPN split tunneling issue - how to enable split tunneling only for a few subnets? 2021/02/17 08:57:06 (permalink)
    0
    ForMar
    This sounds like a valid option, but im a fortigate noob.
    How to negate/exclude address from 'Routing Address' under split tunnel SSL VPN (fortinet.com)
     
     
    Im such a noob, that i have difficulty to tell if a question is already answered :-}




    Hello,
     
    It is good solution by all means. The only issue is that this feature is availably only in the newest firmware version - 6.4 which is not a good option for me 
    (I need something in 6.0 or 6.2 - hence they are proven to be quite stable in the production).
     
    Regards,
    Krzysztof
    #6
    Jump to:
    © 2021 APG vNext Commercial Version 5.5