SSL VPN Split-Tunnel Exceptions



I'm currently having an issue with Split-Tunnel SSL VPN on the XG Firewall. Typically everything works fine, but I do have a 3rd party website we need to access every now and then that will not work via the Split-Tunnel SSL VPN. Our current work around is to use remote desktop and connect remotely to a workstation at the office and load the site on that. My question is this, is it possible to add a exception to the VPN settings so that this site's traffic is only ever going through the VPN? I don't want it to bypass the VPN at all, because that's why it's currently not working.




  • Hello Myke,

    Thank you for contacting the Sophos Community.

    What is the website you are trying to access? 

    Also in Split Mode, only the Permitted network resources that you specify under the tunnel access will go through the tunnel. 

    If you are trying to send this traffic through the SSL VPN, you would need to add its Public IP to the SSL VPN.



  • Hi  

    The 3rd party website which you are referring is allowed via your office ISP IPs only ? If yes then in that case you may required to add that 3rd party website IP address under accessible resources in your SSL VPN settings. so traffic from end system will be routed to XG via SSL VPN. ( Also configured VPN to WAN rule with MASQ applied for the same website by putting website IP in destination network/host in rule.)

    The above will route the particular site traffic over SSL VPN all the time from end machine whenever end user machine is connected over SSL VPN.

  • In reply to Vishal_R:

    Thanks for the response! I've added the IP of the site we need to flow through the VPN tunnel only to the VPN to WAN rule under "Destination Networks". I'm going to get the team member who needs to use that site to test it and will report back with my findings.



  • In reply to Myke Helstein:

    So I was able to test the potential fix and it still isn't working. So just to be clear, I added the IP of the site we need to flow through the VPN tunnel only to the VPN to WAN rule under "Destination Networks". The site I'm trying to hit is "" but it's IP should be "". That IP is what I added to the "Destination Networks". Is it possible to add the "" as an exception rule to my VPN split-tunnel? I can't seem to add it to the Destination Networks..but maybe I'm just missing a step.


    Thanks everyone,


  • In reply to Myke Helstein:


    Only rule configuration is not enough. As we guided you need to add the IP ""  in the accessible resources over the SSL VPN policy. 

    Reference snapshot:

    Here you need to the website IP address for which you want traffic route over SSL VPN.


    Once it is added and you connect ssl VPN confirm the route of same host has been added in the end system after connecting SSL VPN.

    CMD> route print ( command to see routing table of system).

    As of now FQDN or domain you can not add in the accessible resources and it is FR as of now. 

    Ideas Portal URL :

  • In reply to Vishal_R:

    I've gone ahead and added it to the "Permitted Network Resources" in my SSL VPN settings. So far it's still not working. I'm a Sophos noob, so I'm probably missing something or not understanding something properly. Did you want me to check something in a command prompt window? Is that what the "CMD>route print" command you mentioned is?

  • In reply to Myke Helstein:


    Yes that command is to check route table of system and you may confirm route getting added.If it is getting added there then the next you may confirm the traffic over XG coming or not on XG CLI via below console command:

    command for packet request:

    console > tcpdump 'host X.X.X.X.

    where X.X.X.X is the website public IP.

    command for drop packet

    console > drop 'host X.X.X.X

  • In reply to Vishal_R:

    Sorry, I'm still confused as to what I need to do. I tried those commands in PowerShell and it just sat there and did nothing.

  • In reply to Myke Helstein:

    Still struggling to get this working, would love some assistance if possible.



  • In reply to Myke Helstein:

    Hello Myke,

    Please send me by PM your Sophos XG Access ID.

    Monitor & Analize >> Diagnostics >> Support Access >> ON >> Access Status >> And copy & paste the Access ID and send it to me.