FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 22 - SSL VPN > Setup examples > Split Tunnel

Split Tunnel

In this configuration, remote users are able to securely access the head office internal network through the head office firewall, yet browse the Internet without going through the head office FortiGate. Split tunneling is enabled by default for SSL VPN on FortiGate units.

The solution below describes how to configure FortiGate SSL VPN split tunneling using the FortiClient SSL VPN software, available from the Fortinet Support site.

Without split tunneling, all communication from remote SSL VPN users to the head office internal network and to the Internet uses an SSL VPN tunnel between the user’s PC and the head office FortiGate unit. Connections to the Internet are routed back out the head office FortiGate unit to the Internet. Replies come back into the head office FortiGate unit before being routed back through the SSL VPN tunnel to the remote user.

In short, enabling split tunneling protects the head office from potentially harmful access and external threats that may occur as a result of the end user's indiscretion while browsing the Internet. By contrast, disabling split tunneling protects the end user by forcing all their Internet traffic to pass through the FortiGate firewall.

Creating a firewall address for the head office server

  1. Go to Policy & Objects > Objects > Addresses and select Create New and add the head office server address:
Category Address
Name Head office server
Type Subnet
Subnet / IP Range 192.168.1.12
Interface Internal
  1. Select OK.

Creating an SSL VPN IP pool and SSL VPN web portal

  1. Go to VPN > SSL > Portals and select tunnel-access.
  2. Enter the following:
  Name Connect to head office server
  Enable Tunnel Mode Enable
  Enable Split Tunneling Enable
  Routing Address Internal
  Source IP Pools SSLVPN_TUNNEL_ADDR1
  1. Select OK.

Creating the SSL VPN user and user group

Create the SSL VPN user and add the user to a user group.

  1. Go to User & Device > User > User Definition, select Create New and add the user:
User Name twhite
Password password
  1. Select OK.
  2. Go to User & Device > User > User Groups and select Create New to add the new user to the SSL VPN user group:
Name Tunnel
Type Firewall
  1. Move twhite to the Members list.
  2. Select OK.

Creating a static route for the remote SSL VPN user

Create a static route to direct traffic destined for tunnel users to the SSL VPN tunnel.

  1. Go to Router > Static > Static Routes and select Create New
  2. For low-end FortiGate units, go to System > Network > Routing and select Create New:
Destination IP/Mask 10.212.134.0/255.255.255.0
Device ssl.root
  1. Select OK.

Creating security policies

Create an SSL VPN security policy with SSL VPN user authentication to allow SSL VPN traffic to enter the FortiGate unit. Create a normal security policy from ssl.root to wan1 to allow SSL VPN traffic to connect to the Internet.

  1. Go to Policy & Objects > Policy > IPv4 and select Create New.
  2. Complete the following:
Incoming Interface ssl.root
Source Address all
Source User(s) Tunnel
Outgoing Interface internal
Destination Address Head office server
  1. Select OK.
  2. Add a security policy that allows remote SSL VPN users to connect to the Internet.
  3. Select Create New.
  4. Complete the following and select OK:
Incoming Interface ssl.root
Source Address all
Source User(s) Tunnel
Outgoing Interface wan1
Destination Address all
Schedule always
Service ALL
Action ACCEPT

Configuring authentication rules

  1. Go to VPN > SSL > Settings and select Create New under Authentication/Portal Mapping.
  2. Add an authentication rule for the remote user:
Users/Groups Tunnel
Portal tunnel-access
  1. Select OK and Apply.

Results

Using the FortiClient SSL VPN application on the remote PC, connect to the VPN using the address https://172.20.120.136:443/ and log in with the twhite user account. Once connected, you can connect to the head office server or browse to web sites on the Internet.

From the web-based manager, go to VPN > Monitor > SSL-VPN Monitor to view the list of users connected using SSL VPN. The Subsession entry indicates the split tunnel which redirects SSL VPN sessions to the Internet.