Chapter 16 SSL VPN for FortiOS 5.0 : Basic Configuration : Configuring security policies : Split tunnel Internet browsing policy
  
Split tunnel Internet browsing policy
With split tunneling disabled, all of the SSL VPN client’s requests are sent through the SSL VPN tunnel. But the tunnel mode security policy provides access only to the protected networks behind the FortiGate unit. Clients will receive no response if they attempt to access Internet resources. You can enable clients to connect to the Internet through the FortiGate unit.
To add an Internet browsing policy
1. Go to Policy > Policy > Policy and select Create New.
2. Leave the Policy Type as Firewall and leave the Policy Subtype as Address.
3. Enter the following information and select OK.
Incoming Interface
Select the virtual SSL VPN interface, ssl.root, for example.
Source Address
Select the firewall address you created that represents the IP address range assigned to SSL VPN clients.
Outgoing Interface
Select the FortiGate network interface that connects to the Internet.
Destination Address
Select all.
Action
Select Accept.
Enable NAT
Select Enable.
To configure the Internet browsing security policy - CLI
To enable browsing the Internet through port1, you would enter:
config firewall policy
edit 0
set srcintf ssl.root
set dstintf port1
set srcaddr SSL_tunne_users
set dstaddr all
set schedule always
set service ALL
set nat enable
end
See Also
Firewall addresses
Create an SSL VPN security policy
Create a tunnel mode security policy
Enabling a connection to an IPsec VPN