Configuring a profile with application-based split tunnel
FortiClient (Windows) supports source application-based split tunnel, where you can specify which application traffic to exclude from the VPN tunnel. You can exclude high bandwidth-consuming applications. For example, you can exclude applications like the following from the VPN tunnel:
- Microsoft Office 365
- Microsoft Teams
You must configure these settings in the endpoint profile in EMS. The scope for the setting is for all VPN tunnels for that profile. The following instructions assume that you have already configured a remote SSL or IPsec VPN server in FortiOS. See the FortiOS documentation.
To configure application-based split tunnel:
- In EMS, go to Endpoint Profiles, and select the desired profile. On the XML Configuration tab, configure the
<traffic_control>elements to configure application-based split tunnel. The following provides an example and descriptions of the elements:
<app>C:\Program Files (x86)\Microsoft\Skype for Desktop\skype.exe</app>
To enable the feature, enter
1. To disable the feature, enter
2so that network traffic for all defined applications and FQDNs do not go through the VPN tunnel. You must configure this value as
2for the feature to function.
Specify which application traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. You can specify an application using its process name, full path, or the directory where it is installed. You can enter file and directory paths using environment variables, such as %LOCALAPPDATA%,%programfiles%, and %appdata%. Do not use spaces in the tail or head, or add double quotes to full paths with spaces.
To find a running application's full path, on the Details tab in Task Manager, add the Image path name column.
Once the VPN tunnel is up, FortiClient binds the specified applications to the physical interface.
In the example, for the GoToMeeting path, 18068 refers to the current installed version of the GoToMeeting application.
Specify which FQDN traffic to exclude from the VPN tunnel and redirect to the endpoint physical interface. The FQDN resolved IP address is dynamically added to the route table when in use, and is removed after disconnection.
In the example, youtube.com equals youtube.com and *.youtube.com.
After defining an FQDN, such as youtube.com in the example, if you use any popular browser such as Chrome, Edge, or Firefox to access youtube.com, this traffic does not go through the VPN tunnel.
- Assign the profile to the desired endpoints. When VPN is up on those endpoints, the application traffic specified in the profile will be excluded from the VPN tunnel.