Fortinet black logo

Handbook

Split tunnel

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:503783
Download PDF

Split tunnel

In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate. Split tunneling is enabled by default for SSL VPN on FortiGate units.

The solution below describes how to configure FortiGate SSL VPN split tunneling using the FortiClient SSL VPN software, available from the Fortinet Support site.

Without split tunneling, all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the user’s PC and the head office FortiGate unit. Connections to the Internet are routed back out the head office FortiGate unit to the Internet. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user.

In short, enabling split tunneling protects the head office from potentially harmful access and external threats that may occur as a result of the end user's indiscretion while browsing the Internet. By contrast, disabling split tunneling protects the end user by forcing all their Internet traffic to pass through the FortiGate firewall.

Creating a firewall address for the head office server

  1. Go to Policy & Objects > Addresses and select Create New and add the head office server address:

    Category

    Address

    Name

    Head office server

    Type

    Subnet

    Subnet / IP Range

    192.168.1.12

    Interface

    Internal

  2. Select OK.

Creating an SSL VPN IP pool and SSL VPN web portal

  1. Go to VPN > SSL-VPN Portals and select tunnel-access.
  2. Enter the following:

    Name

    Connect to head office server

    Enable Tunnel Mode

    Enable

    Enable Split Tunneling

    Enable

    Routing Address

    Internal

    Source IP Pools

    SSLVPN_TUNNEL_ADDR1

  3. Select OK.

Creating the SSL VPN user and user group

Create the SSL VPN user and add the user to a user group.

  1. Go to User & Device > User Definition, select Create New and add the user:

    User Name

    twhite

    Password

    password

  2. Select OK.
  3. Go to User & Device > User Groups and select Create New to add the new user to the SSL VPN user group:

    Name

    Tunnel

    Type

    Firewall

  4. Move twhite to the Members list.
  5. Select OK.

Creating a static route for the remote SSL VPN user

Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.

  1. Go to Network > Static Routes and select Create New

    Destination IP/Mask

    10.212.134.0/255.255.255.0

    Device

    ssl.root

  2. Select OK.

Creating security policies

Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Create a normal security policy from ssl.root to wan1 to allow SSL VPN traffic to connect to the Internet.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Complete the following:

    Incoming Interface

    ssl.root

    Source Address

    all

    Source User(s)

    Tunnel

    Outgoing Interface

    internal

    Destination Address

    Head office server

  3. Select OK.
  4. Add a security policy that allows remote SSL VPN users to connect to the Internet.
  5. Select Create New.
  6. Complete the following and select OK:

    Incoming Interface

    ssl.root

    Source Address

    all

    Source User(s)

    Tunnel

    Outgoing Interface

    wan1

    Destination Address

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the remote user:

    Users/Groups

    Tunnel

    Portal

    tunnel-access

  3. Select OK and Apply.

Results

Using the FortiClient SSL VPN application on the remote PC, connect to the VPN using the address https://172.20.120.136:443/ and log in with the twhite user account. Once connected, you can connect to the head office server or browse to web sites on the Internet.

From the GUI, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects SSL VPN sessions to the Internet.

Split tunnel

In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate. Split tunneling is enabled by default for SSL VPN on FortiGate units.

The solution below describes how to configure FortiGate SSL VPN split tunneling using the FortiClient SSL VPN software, available from the Fortinet Support site.

Without split tunneling, all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the user’s PC and the head office FortiGate unit. Connections to the Internet are routed back out the head office FortiGate unit to the Internet. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user.

In short, enabling split tunneling protects the head office from potentially harmful access and external threats that may occur as a result of the end user's indiscretion while browsing the Internet. By contrast, disabling split tunneling protects the end user by forcing all their Internet traffic to pass through the FortiGate firewall.

Creating a firewall address for the head office server

  1. Go to Policy & Objects > Addresses and select Create New and add the head office server address:

    Category

    Address

    Name

    Head office server

    Type

    Subnet

    Subnet / IP Range

    192.168.1.12

    Interface

    Internal

  2. Select OK.

Creating an SSL VPN IP pool and SSL VPN web portal

  1. Go to VPN > SSL-VPN Portals and select tunnel-access.
  2. Enter the following:

    Name

    Connect to head office server

    Enable Tunnel Mode

    Enable

    Enable Split Tunneling

    Enable

    Routing Address

    Internal

    Source IP Pools

    SSLVPN_TUNNEL_ADDR1

  3. Select OK.

Creating the SSL VPN user and user group

Create the SSL VPN user and add the user to a user group.

  1. Go to User & Device > User Definition, select Create New and add the user:

    User Name

    twhite

    Password

    password

  2. Select OK.
  3. Go to User & Device > User Groups and select Create New to add the new user to the SSL VPN user group:

    Name

    Tunnel

    Type

    Firewall

  4. Move twhite to the Members list.
  5. Select OK.

Creating a static route for the remote SSL VPN user

Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.

  1. Go to Network > Static Routes and select Create New

    Destination IP/Mask

    10.212.134.0/255.255.255.0

    Device

    ssl.root

  2. Select OK.

Creating security policies

Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Create a normal security policy from ssl.root to wan1 to allow SSL VPN traffic to connect to the Internet.

  1. Go to Policy & Objects > IPv4 Policy and select Create New.
  2. Complete the following:

    Incoming Interface

    ssl.root

    Source Address

    all

    Source User(s)

    Tunnel

    Outgoing Interface

    internal

    Destination Address

    Head office server

  3. Select OK.
  4. Add a security policy that allows remote SSL VPN users to connect to the Internet.
  5. Select Create New.
  6. Complete the following and select OK:

    Incoming Interface

    ssl.root

    Source Address

    all

    Source User(s)

    Tunnel

    Outgoing Interface

    wan1

    Destination Address

    all

    Schedule

    always

    Service

    ALL

    Action

    ACCEPT

Configuring authentication rules

  1. Go to VPN > SSL-VPN Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the remote user:

    Users/Groups

    Tunnel

    Portal

    tunnel-access

  3. Select OK and Apply.

Results

Using the FortiClient SSL VPN application on the remote PC, connect to the VPN using the address https://172.20.120.136:443/ and log in with the twhite user account. Once connected, you can connect to the head office server or browse to web sites on the Internet.

From the GUI, go to Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects SSL VPN sessions to the Internet.