Hi,
Is it possible to have both FULL tunnel VPN and Split Tunnel VPN profiles at the same time?
I.E VPN account A use FULL tunnel VPN…VPN account B use Split Tunnel VPN…at one FW
I have done this in a CISCO firewall…but I am not sure if it can be done in a Fortinet FW?
Would you please advise?
Thanks.
Yes.
You would need to create separate User groups ( User > User groups ) and then assign the split/full tunnel profiles ( SSL-VPN Portals ) to each group ( in SSL-VPN Settings ) and obviously add the user to the specific group ( not in both ), then create the appropriate firewall rules with the groups.
Yes we have this and use Realms to define each tunnel. We then push the two tunnel profiles to the clients via EMS
Both of the things mentioned are correct.
Profiles are just templates that define a set of rules and options.
Within the SSLVPN settings a user (or group) is mapped to a profile. As far as I am aware you can have a user/group for a single multiple profiles or have a user/group in multiple plofiles and all the various split tunnels apply. When combining this with a profile that sets full tunnel, it will overrule the splits.
Note : test this ! the order of the authentication should not matter, but the policies did.
Here is the KB that explains about the sslvpn authentication.https://community.fortinet.com/t5/FortiGate/Technical-Tip-A-quick-guide-to-FortiGate-SSL-VPN-authentication/ta-p/202041
Realms is sort of creating another SSLVPN server using different authentication schemes. It is commonly used to separate companies on the same SSLVPN server to allow the usage of different LDAP etc.
Yes, we use azuread groups and sso to define our tunnels
Yes you can use realms :
create the appropriate firewall rules with the groups.
Thanks for your advise, would you please give example of “create the appropriate firewall rules with the groups”?
Because I am facing a problem with error message “destination address of split tunneling policy is invalid.” which confuse me out of my mind …
what I am doing for user A with full tunneling
SSL-VPN tunnel interface (ssl.root) → wan1
(SSLVPN_TUNNEL_ADDR1 , A ) → All
SSL-VPN tunnel interface (ssl.root) → lan1
(SSLVPN_TUNNEL_ADDR1 , A ) → All
That works totally fine.
But if I now doing user B with split tunning
SSL-VPN tunnel interface (ssl.root) → lan1
(SSLVPN_TUNNEL_ADDR1 , B ) → lan_addresss (192.168.1.0/24)
It complains “destination address of split tunneling policy is invalid.”
Do you have any suggetions on this?
Is the user added to a group which has a sslvpn profile/portal with Tunnel Mode and Enable Split Tunneling enabled ?
For Routing Address you can leave it blank and Source IP Pools is the IP range for the pool.
In the firewall rule you should add the IP Pool and User group in question.
On my side, I have created a firewall rule ssl interface as source and rfc1918 (3subnet in a group) in negate inside destination. And applied custom security profil. With this no all in destination, full tunnel use this rules to route to internet with security. For ssl split profil I have put in routing adresse override the internal subnet, and correct firewall rule.
With this and reaIm can easily handle 2 profil VPN ssl in tunnel mode, 1 in split with dns suffix, and 1 in full for some use case.
Edit : orthography
For Routing Address you can leave it blank and Source IP Pools is the IP range for the pool.
Thanks for the hint, eventually I got it by remove everything and do it again, I think I got lock up somehow in the middle of the firewall policy, after clean that up and re do again, at first I leave the routing address empty first, then i created the policy, then back to setup the routing address in that name in SSL portals, in this way, it seems it works again.