Configuring a split tunneling destination on FortiSASE
An endpoint can access private resources using zero trust network access (ZTNA) TCP forwarding when it has established a secure connection to FortiSASE. For FortiClient to forward this traffic directly to the FortiGate ZTNA access proxy without passing through FortiSASE, you must add a split tunneling destination corresponding to the IP or FQDN of the FortiGate. You can create this split tunneling destination on FortiSASE and push it to all managed endpoints.
To create a split tunneling destination on FortiSASE:
- Go to Configuration > Profiles.
- Select the Default profile and click Edit.
You cannot create subnet destinations in a custom endpoint profile. Therefore, subnet destinations defined in the Default profile also apply to all custom profiles.
- On the Access tab, under Bypass FortiSASE, configure Split tunneling destinations by clicking Create. Configure the following:
- In the Type field, select FQDN or Subnet depending on whether you defined the ZTNA Access Proxy fields in the ZTNA connection rules using an FQDN or IP address.
- From the Match dropdown list, do one of the following:
- Select the FQDN host for the FQDN type.
- Select the subnet host for the subnet type.
If you have not created the FQDN or subnet host yet, click + to create a new FQDN or subnet host corresponding to the ZTNA access proxy.
FortiSASE does not support wildcard FQDNs when configuring an FQDN split tunneling destination.
- Click OK.
- Configure additional split tunneling destinations corresponding to the ZTNA connection rules.
- Click Apply. FortiSASE pushes the split tunnel destinations to managed endpoints via an endpoint profile update.