Description | This article decribes how to disable split tunneling to specific group/s and enable it to other groups/users. |
Scope | FortiGate. |
Solution |
By default, there are Three default SSL VPN Portals available on the FortiGate (full-access, tunnel-access, and web-access). Full-access by default is configured with 'Enable Split Tunnel'.
There are scenarios where some users like to have some of the user groups 'Disable Split Tunnel' to have these users' traffic pass through on FortiGate for scanning or logging.
Here are the steps to configure it. Let's assume there are already two SSL VPN group users:
Example:
Step 1: Create another SSL-VPN Portal with the same parameters of 'full-access' except disable the 'Enable Split Tunnel'.
Go to VPN -> SSL-VPN Portal -> Create New.
Step 2: Map the User groups to correct the SSL VPN Portal according to the needs. In this case, the 'SSL-VPN_User_Ena' group has been mapped to 'full-access' to enable the split tunnel then mapped the 'SSL-VPN_User_Dis' group to 'full-access_Split_Disable' to disable the split tunnel.
Also configured 'All other Users/Groups' to 'full-access':
Go to VPN -> SSL-VPN Settings -> Authentication/Portal Mapping:
Step 3: Configure the Firewall policy for SSL VPN.
Configuring inbound firewall policy for both users. On the inbound Firewall policy, it is possible to include both User Groups this will allow them to access the internal subnets on FortiGate:
Create an outbound firewall policy for the Users with Split tunnel disabled. Do not include the User group with split tunnel enabled on this Firewall policy since it will experience an issue with saving the Firewall policy as a destination all then the User has split tunnel enabled.
Expected behavior after the configuration, Remote group SSL-VPN_User_Ena will forward the external traffic to their Internet gateway while the Remote group SSL-VPN_User_Dis will forward the external traffic to the FortiGate.
Note: There is a known issue where after a reboot the Firewall policy does not allow dstaddr 'all' with the split tunneling portal, so FortiGate will go to blank out the dstaddr of all.
Workaround: To reconfigure the dstaddr into 'all' on the SSL VPN firewall policy. The known issue will be fixed on FortiOS 7.4.1 and above. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.