Split tunneling is one of the most powerful features in WatchGuard Mobile VPN with SSL. When configured correctly, it significantly improves performance while maintaining strong security. This guide explains what split tunneling is, why it matters for security, and how to configure advanced split tunneling settings step by step.
What is Split Tunneling and Why Does It Matter?
Split tunneling allows you to decide which traffic goes through the VPN tunnel and which traffic uses the user’s local internet connection. Without split tunneling, all internet traffic from the remote device is forced through the corporate VPN (full tunneling). This can slow down connections and increase load on your firewall.
With properly configured split tunneling in WatchGuard Mobile VPN with SSL, users get the best of both worlds: fast access to public resources (such as cloud services, streaming, or general web browsing) while keeping sensitive corporate traffic fully encrypted and protected.
However, incorrect configuration can create security risks. That is why understanding advanced split tunneling is essential for maximizing both performance and protection.
Benefits of Advanced Split Tunneling
When used wisely, split tunneling offers several important advantages:
- Faster internet speeds for non-corporate traffic
- Reduced bandwidth consumption on the company firewall
- Lower latency for cloud applications like Microsoft 365, Google Workspace, and Zoom
- Better user experience for remote workers
- More efficient use of VPN resources across large teams
At the same time, it allows administrators to maintain strict control over access to internal resources, databases, and business applications.
Step-by-Step: How to Configure Split Tunneling in WatchGuard Mobile VPN
Step 1: Access the WatchGuard Cloud or Firebox Configuration Log in to your WatchGuard Cloud account or the Firebox Web UI with administrator credentials. Navigate to VPN > Mobile VPN > SSL.
Step 2: Edit or Create a New Connection Profile Select the existing Mobile VPN profile or click Add to create a new one. Make sure the profile is assigned to the correct users or groups.
Step 3: Enable Split Tunneling In the profile settings, go to the Routes or Traffic section. Find the option labeled Split Tunneling and set it to Enabled.
Step 4: Define Routes for the VPN Tunnel This is the most critical part for security. You need to specify which networks or IP ranges should go through the VPN. Common examples include:
- Corporate internal networks (e.g., 192.168.10.0/24, 10.0.0.0/8)
- Server subnets
- Cloud resources hosted in your environment
Add these subnets under Tunnel Routes or Include Routes. Only traffic destined for these networks will pass through the encrypted VPN tunnel.
Step 5: Configure Exclude Routes (Optional but Recommended) For advanced control, you can add Exclude Routes. This tells the client to bypass the VPN for specific destinations, such as:
- Public DNS servers (8.8.8.8, 1.1.1.1)
- Microsoft 365 IP ranges
- Streaming and social media domains
Excluding non-sensitive traffic helps maintain high speed while keeping the tunnel focused on protected resources.
Step 6: Set DNS Settings Choose whether DNS queries should be resolved through the corporate DNS servers (more secure) or use the local ISP DNS (faster). For maximum security, we recommend forcing DNS through the VPN tunnel for all corporate domains.
Step 7: Apply and Test the Configuration Save the profile and push the changes to users. Instruct users to download WatchGuard VPN (latest client version) and reconnect. Test access to both internal resources and external websites to verify the split tunneling is working as expected.
Security Best Practices for Split Tunneling
To maximize security while using split tunneling, follow these important recommendations:
- Always use the principle of least privilege — only route necessary internal networks through the VPN.
- Combine split tunneling with AuthPoint multi-factor authentication.
- Regularly review and update tunnel routes as your network infrastructure changes.
- Monitor VPN usage and traffic patterns in WatchGuard Dimension or Cloud for suspicious activity.
- Educate users not to disable the VPN client manually.
Avoid routing the entire internet through the VPN unless your security policy strictly requires full tunneling (for example, in highly regulated industries).
Common Mistakes to Avoid
Many administrators make these errors when configuring split tunneling:
- Routing too many networks through the tunnel, causing performance issues
- Forgetting to update routes after network changes
- Allowing split tunneling without MFA
- Not testing the configuration thoroughly on different devices and networks
Taking time to plan your routing strategy before implementation prevents most of these problems.
Final Tips for Optimal Performance and Security
After configuring advanced split tunneling in WatchGuard Mobile VPN with SSL, always test from different locations and internet connections. Encourage users to keep their VPN client updated and to report any unusual behavior immediately.
When configured properly, split tunneling transforms WatchGuard Mobile VPN from a simple connectivity tool into a smart, secure, and efficient remote access solution that balances user experience with strong corporate protection.
By mastering split tunneling, you can significantly reduce VPN load, improve remote worker productivity, and maintain a high level of security across your organization.
