Configuring a profile with application-based split tunnel
FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from the VPN tunnel. You can exclude high bandwidth-consuming applications. For example, you can exclude applications like the following from the VPN tunnel:
- Microsoft Office 365
- Microsoft Teams
- Skype
- GoToMeeting
- Zoom
- WebEx
- YouTube
You must configure these settings in the endpoint profile in EMS. The scope for the setting is for all VPN tunnels for that profile. The following instructions assume that you have already configured a remote SSL or IPsec VPN server in FortiOS. See the FortiOS documentation.
This feature does not support explicitly including traffic in the VPN tunnel.
To configure application-based split tunnel using the GUI:
- In EMS, go to Endpoint Profiles, and select the desired profile.
- On the VPN tab, select an existing tunnel or create a new tunnel.
- Under Split Tunnel > Application Based, configure the following fields:
Configuration
Description
Application Based
Enable application-based split tunnel. FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from the VPN tunnel. You can exclude high bandwidth-consuming applications for improved performance. For example, you can exclude applications like the following from the VPN tunnel:
- Microsoft Office 365
- Microsoft Teams
- Skype
- GoToMeeting
- Zoom
- WebEx
- YouTube
Once the VPN tunnel is up, FortiClient binds the specified excluded applications to the physical interface.
Type
Select Exclude to configure whether to exclude certain application traffic from the VPN tunnel.
Local Applications
You can only exclude local applications from the VPN tunnel. Click Add. In the Add Application(s) field, specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. When entering the directory, you must end the value with \. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%, %programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces. You can add multiple entries by separating them with a semicolon.
For example, to exclude Microsoft Teams and Firefox from the VPN tunnel, you can enter any of the following combinations:
- Application Name: teams.exe;firefox.exe
- Full Path: C:\Users\<username>appData\Local\Microsoft\Teams\current\Teams.exe;C:\Program Files\Mozilla Firefox\firefox.exe
- Directory: C:\Users\<username>appData\Local\Microsoft\Teams\current\;C:\Program Files\Mozilla Firefox\
To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.
Select the application checkbox, then click Remove to remove it from the list.
Cloud Applications
You can exclude cloud applications. Click Add. In the list, select the desired applications, then click Add.
Select the application checkbox, then click Remove to remove it from the list.
Domain
You can exclude domains. After you exclude a domain, any associated traffic will not go through the VPN tunnel when accessed through a popular browser such as Chrome, Edge, or Firefox. Click Add. In the Add Domain(s) field, enter the desired domains, using ; to configure multiple entries.
For example, if you configure the VPN tunnel to exclude youtube.com, youtube.com and *.youtube.com are excluded from the tunnel.
Select the application checkbox, then click Remove to remove it from the list.
This example shows excluding the Microsoft Teams using the application name, full path, and directory. It also excludes Teams and other web conferencing cloud applications, such as Zoom and Cisco WebEx:
- Assign the profile to the desired endpoints. When VPN is up on those endpoints, the application traffic specified in the profile will be excluded from the VPN tunnel as configured.