FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rphulekar
Staff
Staff
Article Id 195397
Description
In FortiOS firmware version 4.0 MR3 and v5.0, the following message may appear during the SSL VPN tunnel mode configuration on a FortiGate unit:

"Destination address of Split Tunneling policy is invalid"


Scope
Article valid from FortiOS firmware version 4.0 MR3 until FortiOS firmware version 5.0.x.

Solution
The root cause of this error message is that the SSL-VPN firewall policy can not be left with Destination Address  = ALL, if tunnel mode is used with split tunneling enabled.

The Destination Address must be defined with the appropriate subnet located behind the destination interface.

Example:


config firewall address

    edit "dmz_network"
        set associated-interface "dmz"
                     set subnet 172.16.31.0 255.255.255.0
    next

config firewall policy
    edit 30
        set srcintf "wan1"
        set dstintf "dmz"
            set srcaddr "all"
            set dstaddr "dmz_network"
        set action ssl-vpn
        set schedule "always"
            set service "ANY"
        set logtraffic enable
        set nat enable
            set groups "vpn_users_tunnel"
    next





Related Articles

Technical Note: FortiGate SSL VPN in tunnel mode with split-tunneling - configuration and verificati...

Contributors