SSL VPN Split-Tunnel Exceptions

Hi Myke Helstein 

The 3rd party website which you are referring is allowed via your office ISP IPs only ? If yes then in that case you may required to add that 3rd party website IP address under accessible resources in your SSL VPN settings. so traffic from end system will be routed to XG via SSL VPN. ( Also configured VPN to WAN rule with MASQ applied for the same website by putting website IP in destination network/host in rule.)

The above will route the particular site traffic over SSL VPN all the time from end machine whenever end user machine is connected over SSL VPN.

Thanks for the response! I've added the IP of the site we need to flow through the VPN tunnel only to the VPN to WAN rule under "Destination Networks". I'm going to get the team member who needs to use that site to test it and will report back with my findings.

Thanks!

Thanks for the response! I've added the IP of the site we need to flow through the VPN tunnel only to the VPN to WAN rule under "Destination Networks". I'm going to get the team member who needs to use that site to test it and will report back with my findings.

Thanks!

So I was able to test the potential fix and it still isn't working. So just to be clear, I added the IP of the site we need to flow through the VPN tunnel only to the VPN to WAN rule under "Destination Networks". The site I'm trying to hit is "https://ci.family.ca" but it's IP should be "54.172.232.184". That IP is what I added to the "Destination Networks". Is it possible to add the "https://ci.family.ca" as an exception rule to my VPN split-tunnel? I can't seem to add it to the Destination Networks..but maybe I'm just missing a step.

Thanks everyone,

Myke

Hi Myke Helstein 

Only rule configuration is not enough. As we guided you need to add the IP "54.172.232.184"  in the accessible resources over the SSL VPN policy. 

Reference snapshot:

Here you need to the website IP address for which you want traffic route over SSL VPN.

Once it is added and you connect ssl VPN confirm the route of same host has been added in the end system after connecting SSL VPN.

CMD> route print ( command to see routing table of system).

As of now FQDN or domain you can not add in the accessible resources and it is FR as of now. 

Ideas Portal URL : https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/34712602-split-tunnel-to-support-fqdn-host-objects-as-permi

I've gone ahead and added it to the "Permitted Network Resources" in my SSL VPN settings. So far it's still not working. I'm a Sophos noob, so I'm probably missing something or not understanding something properly. Did you want me to check something in a command prompt window? Is that what the "CMD>route print" command you mentioned is?

Hi Myke Helstein 

Yes that command is to check route table of system and you may confirm route getting added.If it is getting added there then the next you may confirm the traffic over XG coming or not on XG CLI via below console command:

command for packet request:

console > tcpdump 'host X.X.X.X.

where X.X.X.X is the website public IP.

command for drop packet

console > drop 'host X.X.X.X

Sorry, I'm still confused as to what I need to do. I tried those commands in PowerShell and it just sat there and did nothing.

Still struggling to get this working, would love some assistance if possible.

Thanks

Hello Myke,

Please send me by PM your Sophos XG Access ID.

Monitor & Analize >> Diagnostics >> Support Access >> ON >> Access Status >> And copy & paste the Access ID and send it to me.

Regards,