We help IT Professionals succeed at work.

Fortigate SSL VPN issue.

Last Modified: 2020-03-11
In our office firewall is using fortigate 101E ,we has configure SSL VPN to allow our user work from home.

Recently they feedback the can not access one of the FTP server in cloud at home but if using office network then no issue.

I believe that FTP server just allow our office Internet IP and our in our firewall we has turn on split tunneling.

I guess this this server is not the inside the office LAN so the SSL VPN are using thier home IP address.

i know if I disable disable split tunneling traffic will route all the SSL VPN user  access internet via office firewall.But we do not want this option.

may I know Any way to allow SSL VPN user to access this FTP server in cloud ?
Watch Question


"I believe that FTP server just allow our office Internet IP and our in our firewall we has turn on split tunneling."

That is very likely the issue.  With split tunneling, when your remote users try to access the FTP server, the request is seen as coming from their (remote) IP address and the FTP server is rejecting it.

I'm not familiar enough with the Fortigate VPN setup, so I can't tell you specifically how to resolve this.  I would expect that you need to set up some sort of Route command for workstations when they connect to the VPN to route communications to the FTP server through the VPN.  It should be a simple task once you find out where to do it.  As a test, you could do an appropriate Route command on a workstation from a CMD prompt (I'm assuming Windows OS is in use on the workstations) to see if that resolves the issue.  You'd use something similar to:
route -4 add <FTP IP address> <VPN gateway IP>.  That may not be exactly correct but should be a good start.  You could add "-p" after "-4" to make the system remember the new route after rebooting.
Benjamin Van DitmarsSr Network Engineer

just add the ip of the external site

Select youre portal
under Routing Address.

Go to Policy and Objects -> IPv4 Policy

add a firewall rule from zone SSL-VPN Tunnel interface to the wan

Incomming interface SSL-VPN tunnel interface
Outgoing interface {Wan port}
source address: ssl-vpn pool
source user : sslvpn user group
Destination addres : adres of the ftp side
service ftp

Nat enabled.

and check if the client is tunneleling the device over the vpn tunnel.
Get access with a 7-day free trial.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.