Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ronmar
Staff
Staff

Created on ‎07-06-2023 12:06 AM Edited on ‎11-30-2023 09:51 PM By Community Manager

Article Id 262812

Technical Tip: Disable split tunneling to specific groups and enable it to other group/users

Description This article decribes how to disable split tunneling to specific group/s and enable it to other groups/users.
Scope FortiGate.
Solution

By default, there are Three default SSL VPN Portals available on the FortiGate (full-access, tunnel-access, and web-access). Full-access by default is configured with 'Enable Split Tunnel'. 

 

There are scenarios where some users like to have some of the user groups 'Disable Split Tunnel' to have these users' traffic pass through on FortiGate for scanning or logging. 

 

Here are the steps to configure it. Let's assume there are already two SSL VPN group users:

 

Example:

  1. SSL VPN_User_Ena <--- Example of the user group with split tunnel Enabled.
  2. SSL VPN_User_Dis <--- Example of the user group with split tunnel Disabled.

 

Step 1:

Create another SSL-VPN Portal with the same parameters of 'full-access' except disable the 'Enable Split Tunnel'.

 

Go to VPN -> SSL-VPN Portal -> Create New.

 

Screenshot 2023-07-06 073352.jpg

 

Step 2:

Map the User groups to correct the SSL VPN Portal according to the needs. In this case, the 'SSL-VPN_User_Ena' group has been mapped to 'full-access' to enable the split tunnel then mapped the 'SSL-VPN_User_Dis' group to 'full-access_Split_Disable' to disable the split tunnel.

 

Also configured 'All other Users/Groups' to 'full-access':

 

Go to VPN -> SSL-VPN Settings -> Authentication/Portal Mapping:

 

Screenshot 2023-07-06 074544.jpg

Step 3:

Configure the Firewall policy for SSL VPN.

 

Configuring inbound firewall policy for both users. On the inbound Firewall policy, it is possible to include both User Groups this will allow them to access the internal subnets on FortiGate:

 

Screenshot 2023-07-06 075051.jpg

 

Create an outbound firewall policy for the Users with Split tunnel disabled. Do not include the User group with split tunnel enabled on this Firewall policy since it will experience an issue with saving the Firewall policy as a destination all then the User has split tunnel enabled.

 

 

Screenshot 2023-07-06 075702.jpg

Expected behavior after the configuration, Remote group SSL-VPN_User_Ena will forward the external traffic to their Internet gateway while the Remote group SSL-VPN_User_Dis will forward the external traffic to the FortiGate.

 

Note:

There is a known issue where after a reboot the Firewall policy does not allow dstaddr 'all' with the split tunneling portal, so FortiGate will go to blank out the dstaddr of all.

 

Workaround:

To reconfigure the dstaddr into 'all' on the SSL VPN firewall policy. The known issue will be fixed on FortiOS 7.4.1 and above.

 

1677
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.