Fortinet black logo

Traffic control

Traffic control

The VPN <traffic_control> XML tag contains global information controlling application-based split tunnel:

<forticlient_configuration>

<vpn>

<traffic_control>

<enabled>1</enabled>

<mode>2</mode>

<apps>

<app>%LOCALAPPDATA%\Microsoft\Teams\Current\Teams.exe</app>

<app>%appdata%\Zoom\bin\Zoom.exe</app>

<app>C:\Program Files (x86)\Microsoft\Skype for Desktop\skype.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mcomm.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mlauncher.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mstart.exe</app>

</apps>

<fqdns>

<fqdn>webex.com</fqdn>

<fqdn>gotomeeting.com</fqdn>

<fqdn>youtube.com</fqdn>

</fqdns>

</traffic_control>

</vpn>

</forticlient_configuration>

The following table provides the XML tags for VPN traffic control, as well as the descriptions and default values where applicable:

XML tag

Description

Default value

<enabled>

To enable the feature, enter 1. To disable the feature, enter 0.

Boolean value: [0 | 1]

<mode>

Enter 2 so that network traffic for all defined applications and FQDNs do not go through the VPN tunnel. You must configure this value as 2 for the feature to function.

<app>

Specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%,%programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces.

To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

Once the VPN tunnel is up, FortiClient binds the specified applications to the physical interface.

In the example, for the GoToMeeting path, 18068 refers to the current installed version of the GoToMeeting application.

<fqdn>

Specify which FQDN traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection.

In the example, youtube.com equals youtube.com and *.youtube.com.

After defining an FQDN, such as youtube.com in the example, if you use any popular browser such as Chrome, Edge, or Firefox to access youtube.com, this traffic does not go through the VPN tunnel.

Traffic control

The VPN <traffic_control> XML tag contains global information controlling application-based split tunnel:

<forticlient_configuration>

<vpn>

<traffic_control>

<enabled>1</enabled>

<mode>2</mode>

<apps>

<app>%LOCALAPPDATA%\Microsoft\Teams\Current\Teams.exe</app>

<app>%appdata%\Zoom\bin\Zoom.exe</app>

<app>C:\Program Files (x86)\Microsoft\Skype for Desktop\skype.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mcomm.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mlauncher.exe</app>

<app>%LOCALAPPDATA%\GoToMeeting\18068\g2mstart.exe</app>

</apps>

<fqdns>

<fqdn>webex.com</fqdn>

<fqdn>gotomeeting.com</fqdn>

<fqdn>youtube.com</fqdn>

</fqdns>

</traffic_control>

</vpn>

</forticlient_configuration>

The following table provides the XML tags for VPN traffic control, as well as the descriptions and default values where applicable:

XML tag

Description

Default value

<enabled>

To enable the feature, enter 1. To disable the feature, enter 0.

Boolean value: [0 | 1]

<mode>

Enter 2 so that network traffic for all defined applications and FQDNs do not go through the VPN tunnel. You must configure this value as 2 for the feature to function.

<app>

Specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%,%programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces.

To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.

Once the VPN tunnel is up, FortiClient binds the specified applications to the physical interface.

In the example, for the GoToMeeting path, 18068 refers to the current installed version of the GoToMeeting application.

<fqdn>

Specify which FQDN traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection.

In the example, youtube.com equals youtube.com and *.youtube.com.

After defining an FQDN, such as youtube.com in the example, if you use any popular browser such as Chrome, Edge, or Firefox to access youtube.com, this traffic does not go through the VPN tunnel.