By Manny Fernandez

August 7, 2020

Dynamic DNS Split-Tunneling for FortiGate VPN

Today I had a partner reach out to me about Cisco’s Dynamic Split Tunneling using AnyConnect.  Apparently this is a new feature they released.   I did a little research and here is the Fortinet solution.  In my opinion, it appears to be more robust than that of Cisco.  But that is my opinion.

Use Case:

Customer has a remote access VPN into the corporate environment.  They do not want to rely on IPv4 and IPv6 Split Tunneling but rather have an additional component to send traffic directly out to the Internet.  Here is the article they sent to me.  In the article, they use the example about sending traffic for cisco.com to an external DNS server and other DNS to the internal.

Let’s get started.

First thing we need to do is configured the Spit Tunneling using the legacy way of doing it; using IP addresses and / or  subnets.

2020-08-06_23-49-29

  1.  Go to VPN
  2. Then choose SSL-VPN Portals and edit your portal.
  3. Click the Enable Split Tunneling button.
  4. Choose your subnets and/or host IPs.

In step 4, you will define what IP addresses and subnets are going to be encrypted and sent to the Fortigate ( Interesting Traffic ).

By the way, this is known as Split Tunneling Enabled.

2020-08-06_23-50-25

Now you will need to:

  1. Enable DNS Split Tunneling
  2. Then we are going to Create New

2020-08-07_00-06-55

Here we can see that I am sending all DNS queries for cisco.com to 4.2.2.2 and 8.8.8.8

2020-08-07_00-06-27

In THIS example, I am sending any DNS queries destined to misses.org to 1.1.1.1 and 1.1.1.2

2020-08-07_00-07-13

And here we can see that we can add multiple domains and multiple DNS resolvers.

Hope this helps

Recent posts

  • Don't be confused with my other FortiNAC posts where... Full Story

  • This is the third session in a multi-part article... Full Story

  • Today I was configuring key-based authentication on a FortiGate... Full Story

  • Netcat, often called the "Swiss Army knife" of networking,... Full Story

  • At its core, IEEE 802.1X is a network layer... Full Story

  • In case you did not see the previous FortiNAC... Full Story

  • This is our 5th session where we are going... Full Story

  • Now that we have Wireshark installed and somewhat configured,... Full Story

  • The Philosophy of Packet Analysis Troubleshooting isn't about looking... Full Story