General Discussions

Expand all | Collapse all

SSL-VPN with split tunneling mode

  • 1.  SSL-VPN with split tunneling mode

    Posted Jun 17, 2021 03:08 AM
    Hi,

    I just want to know what other thinks about this setup.

    I have a client with ssl-vpn enabled on their network, and they are using ssl-vpn tunnel mode with split tunneling enabled but there is no routing address specified. Furthermore they are using a policy route which sends all the traffic coming from the ssl-vpn tunnel interface (ssl.root) to a specific destination on the internet. Then they have different policys which regulates the traffic from the sslvpn users toward different subnets behind the fortigate. A very wierd setup for my eyes! Should they specify the routing address if they want to reach the subnets behind the fortigate (specified in the policys also)? In that case how is it possible for them to reach those subnets behind the fortigate if there is no routing address specified. This is making my head spinning now!!


  • 2.  RE: SSL-VPN with split tunneling mode

    Posted Jun 21, 2021 07:24 AM
    Hi 
     
    Can you please share the output of :

    config vpn ssl web portal
    show full-configuation | grep split


  • 3.  RE: SSL-VPN with split tunneling mode

    Posted Jun 23, 2021 01:52 AM
    Hi Niladri,

    # show full-configuration | grep split
    set split-tunneling enable
    set split-tunneling-routing-negate disable
    set ipv6-split-tunneling enable
    set ipv6-split-tunneling-routing-negate disable
    set split-tunneling enable
    set split-tunneling-routing-negate disable
    set ipv6-split-tunneling enable
    set ipv6-split-tunneling-routing-negate disable
    set split-tunneling enable
    set split-tunneling-routing-negate disable
    config split-dns


  • 4.  RE: SSL-VPN with split tunneling mode

    Posted Jun 23, 2021 02:13 AM
    Hello Fisnik,

    From what I understand for the information provided is that you might be trying to add FQDNs to be a part of the split tunnel. Now FQDNs are not supported by SSL VPN split tunnel routing address. SO to achieve this we use firewall policies. Please find the relevant KB here : https://kb.fortinet.com/kb/documentLink.do?externalID=FD46248