Split Tunneling on Remote FortiAP
In a previous post I highlighted the ability to use FortiAPs as remote FortiAPs, enabling remote workers to go home, simply plug a device in, and connect to the "office wifi" as if they were at the office.
I got to thinking, that not everyone would need to tunnel all that traffic back to the office, especially if you have other technologies in place enforcing web filtering (e.g. FortiClient with EMS and off-net web filtering profiles set, etc..), and while the IPSec tunnels add little overhead to the FortiGate itself, you may have a need to "break out" local internet access, as well as the local network.
In this post we'll look at how to enable split tunneling on FortiAP.
You have a FortiAP set up as a remote FortiAP
Your remote FortiAP is managed by a FortiGate running FortiOS 6.2.3 or later
Policies in place to allow access to internal resources, and no internet access policies
It's important to note that Split Tunneling seems to work well in 6.2.3, I have not tested on other versions of FortiOS.
Before we get started, I tested ping access to 18.104.22.168:
With the boring stuff out of the way, let's get to it!
Enabling split tunneling in the remote FortiAP profile:
Before we enable split tunneling, we need to define the type of split tunneling we will be performing. You have two options:
Tunnel - define the subnets you wish to send over the tunnel, anything not defined will be sent out locally
Local - define what you don't want sent over the tunnel, anything not defined will be tunneled
For this scenario we will use the tunnel mode split-tunneling and define what we want to be sent over the tunnel. We will also enable split-tunneling-acl-local-ap-subnet.
To do this you'll need a CLI session to the FortiGate that is controlling the APs and issue the following command.
config wireless-controller wtp-profile edit Remote-FortiAP-Profile-Name set split-tunneling-acl-path tunnel # This is CLI only, you need to do this from CLI set set split-tunneling-acl-local-ap-subnet enable # This can be enabled in the GUI next end
Now that's done, we will browse to WiFi & Switch Controller > FortiAP Profiles and edit the profile being used for your remote FortiAPs. Note the split tunneling section:
We will need to define the split tunneling subnets here, anything your remote users may need to access will need to be defined here.
Enabling Split Tunneling on the SSID:
Now that we've enabled our split tunneling settings on the AP profile, we need to tell our SSID to honor those settings, this is as simple as browsing to WiFi & Switch Controller > SSID> Edit the SSID you wish to split tunnel and enable it.
Assuming you already have policies in place, let's try to ping 22.214.171.124:
Sweet sweet success!
Thank you for reading I hope this has been informative.