To exclude specific internet traffic from the FortiSASE tunnel and route it directly out of the user's local internet connection (the endpoint physical interface), you must configure split tunneling via traffic steering. In FortiSASE, this is achieved by modifying the Endpoint Profile. By adding the specific destination (such as an FQDN, IP, or ISDB object for Google Maps) as a steering bypass destination within the endpoint profile, FortiClient is instructed to exclude this traffic from the IPsec/SSL VPN tunnel. This allows the traffic to go directly to the internet, providing local breakout while all other traffic remains steered into FortiSASE for inspection.

A: ZTNA TCP access proxy forwarding rules are designed to securely publish private enterprise applications, not to control outbound internet traffic routing or bypass SASE tunnels.

B: Firewall policies enforce security on traffic after it reaches the FortiSASE gateway. They cannot instruct the local FortiClient to redirect traffic to the endpoint's physical interface.

C: URL filtering exemptions only bypass web inspection for traffic already inside the tunnel; they do not route traffic out of the physical interface or bypass the tunnel itself.

Fortinet Official Documentation: FortiSASE Administration Guide (v23.4 / v24.1), Section: "Endpoint Configuration" -> "Endpoint profiles" -> "Configuring traffic steering". This section details how to use steering bypass rules to exclude traffic from the FortiSASE tunnel.

Fortinet Official Documentation: FortiSASE Administration Guide, Section: "Split tunneling". This section explains the architecture of bypassing the VPN tunnel to allow direct internet access from the endpoint's physical network adapter.