Split tunnel Internet browsing policy
With split tunneling disabled, all of the SSL VPN client’s requests are sent through the SSL VPN tunnel. But the tunnel mode security policy provides access only to the protected networks behind the FortiGate unit. Clients will receive no response if they attempt to access Internet resources. You can enable clients to connect to the Internet through the FortiGate unit using a split tunnel Internet browsing policy.
To add an Internet browsing policy:
1. Go to Policy & Objects > Policy > IPv4 and select Create New.
2. Enter the following information and select OK.
Incoming Interface | Select the virtual SSL VPN interface (ssl.root, for example). |
Source Address | Select the firewall address you created that represents the IP address range assigned to SSL VPN clients. |
Outgoing Interface | Select the FortiGate network interface that connects to the Internet. |
Destination Address | Select All. |
Action | Select Accept. |
Enable NAT | Select Enable. |
To configure the Internet browsing security policy - CLI:
To enable browsing the Internet through port1, you would enter:
config firewall policy
edit 0
set srcintf ssl.root
set dstintf port1
set srcaddr SSL_tunne_users
set dstaddr all
set schedule always
set service ALL
set nat enable
end
See Also