Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.3 Administration Guide

Split tunneling settings

7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Copy Link
Copy Doc ID a36d7fdc-c11e-11ee-8c42-fa163e15d75b:629245
Download PDF

Split tunneling settings

SSL VPN clients in tunnel mode can choose between the following settings to split the traffic:

Option

Description
Tunnel mode

  • Disabled: All client traffic will be directed over the SSL-VPN tunnel.

  • Enabled Based on Policy Destination: Only client traffic in which the destination matches the destination of the configured firewall polices will be directed over the SSL-VPN tunnel.

  • Enabled for Trusted Destinations: Only client traffic which does not match explicitly trusted destination will be directed over the SSL-VPN tunnel.
To configure split tunneling in the GUI:

  1. Go to VPN > SSL-VPN Portals.

  2. Click Create New or Edit an existing portal.

  3. Enable Tunnel Mode and select one of the Split tunneling settings.

  4. Select Routing Address Override to define the destination network (usually the corporate network) that will be routed through the tunnel.

    Note

    Leave Routing Address Override undefined to use the destination in the respective firewall policies.

  5. Select Source IP Pools for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own.

  6. Configure other necessary parameters as required.

  7. Click OK.

To configure split tunneling in the CLI:
config vpn ssl web portal
    edit "tunnel-access"
        set tunnel-mode enable
        set split-tunneling {enable | disable}
        set split-tunneling-routing-negate {enable | disable}
        set split-tunneling-routing-address <name1> <name2> …
        set ip-pools <name1> <name2> …  
    next      
end
Note

The command split-tunneling-routing-negate is only available on the CLI after split-tunneling is enabled.

split-tunneling-routing-negate is disabled by default and corresponds to the Enabled Based on Policy Destination option on the GUI.

split-tunneling-routing-negate enable corresponds to the Enabled for Trusted Destinations option on the GUI.
Previous
Next

Split tunneling settings

SSL VPN clients in tunnel mode can choose between the following settings to split the traffic:

Option

Description
Tunnel mode

  • Disabled: All client traffic will be directed over the SSL-VPN tunnel.

  • Enabled Based on Policy Destination: Only client traffic in which the destination matches the destination of the configured firewall polices will be directed over the SSL-VPN tunnel.

  • Enabled for Trusted Destinations: Only client traffic which does not match explicitly trusted destination will be directed over the SSL-VPN tunnel.
To configure split tunneling in the GUI:

  1. Go to VPN > SSL-VPN Portals.

  2. Click Create New or Edit an existing portal.

  3. Enable Tunnel Mode and select one of the Split tunneling settings.

  4. Select Routing Address Override to define the destination network (usually the corporate network) that will be routed through the tunnel.

    Note

    Leave Routing Address Override undefined to use the destination in the respective firewall policies.

  5. Select Source IP Pools for users to acquire an IP address when connecting to the portal. There is always a default pool available if you do not create your own.

  6. Configure other necessary parameters as required.

  7. Click OK.

To configure split tunneling in the CLI:
config vpn ssl web portal
    edit "tunnel-access"
        set tunnel-mode enable
        set split-tunneling {enable | disable}
        set split-tunneling-routing-negate {enable | disable}
        set split-tunneling-routing-address <name1> <name2> …
        set ip-pools <name1> <name2> …  
    next      
end
Note

The command split-tunneling-routing-negate is only available on the CLI after split-tunneling is enabled.

split-tunneling-routing-negate is disabled by default and corresponds to the Enabled Based on Policy Destination option on the GUI.

split-tunneling-routing-negate enable corresponds to the Enabled for Trusted Destinations option on the GUI.
Previous
Next