Split tunnel
In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate. Split tunneling is enabled by default for SSL VPN on FortiGate units.
The solution below describes how to configure FortiGate SSL VPN split tunneling using the FortiClient SSL VPN software, available from the Fortinet Support site.
Without split tunneling, all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the user’s PC and the head office FortiGate unit. Connections to the Internet are routed back out the head office FortiGate unit to the Internet. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user.
In short, enabling split tunneling protects the head office from potentially harmful access and external threats that may occur as a result of the end user's indiscretion while browsing the Internet. By contrast, disabling split tunneling protects the end user by forcing all their Internet traffic to pass through the FortiGate firewall.
Creating a firewall address for the head office server
- Go to Policy & Objects > Addresses and select Create New and add the head office server address:
Category
Address
Name
Head office server
Type
Subnet
Subnet / IP Range
192.168.1.12
Interface
Internal
- Select OK.
Creating an SSL VPN IP pool and SSL VPN web portal
- Go to VPN > SSL-VPN Portals and select tunnel-access.
- Enter the following:
Name
Connect to head office server
Enable Tunnel Mode
Enable
Enable Split Tunneling
Enable
Routing Address
Internal
Source IP Pools
SSLVPN_TUNNEL_ADDR1
- Select OK.
Creating the SSL VPN user and user group
Create the SSL VPN user and add the user to a user group.
- Go to User & Device > User Definition, select Create New and add the user:
User Name
twhite
Password
password
- Select OK.
- Go to User & Device > User Groups and select Create New to add the new user to the SSL VPN user group:
Name
Tunnel
Type
Firewall
- Move twhite to the Members list.
- Select OK.
Creating a static route for the remote SSL VPN user
Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.
- Go to Network > Static Routes and select Create New
Destination IP/Mask
10.212.134.0/255.255.255.0
Device
ssl.root
- Select OK.
Creating security policies
Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Create a normal security policy from ssl.root to wan1 to allow SSL VPN traffic to connect to the Internet.
- Go to Policy & Objects > IPv4 Policy and select Create New.
- Complete the following:
Incoming Interface
ssl.root
Source Address
all
Source User(s)
Tunnel
Outgoing Interface
internal
Destination Address
Head office server
- Select OK.
- Add a security policy that allows remote SSL VPN users to connect to the Internet.
- Select Create New.
- Complete the following and select OK:
Incoming Interface
ssl.root
Source Address
all
Source User(s)
Tunnel
Outgoing Interface
wan1
Destination Address
all
Schedule
always
Service
ALL
Action
ACCEPT
Configuring authentication rules
- Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
- Add an authentication rule for the remote user:
Users/Groups
Tunnel
Portal
tunnel-access
- Select OK and Apply.
Results
Using the FortiClient SSL VPN application on the remote PC, connect to the VPN using the address https://172.20.120.136:443/
and log in with the twhite
user account. Once connected, you can connect to the head office server or browse to web sites on the Internet.
From the GUI, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects SSL VPN sessions to the Internet.