Was looking at deploying 7.2.3 to update from 7.0.8, but found 7.2.4 just came out.
Tried putting 7.2.4 into PatchmyPC, but then found out I couldn’t connect to the VPN after doing so. Normally would expect a little pop up window to login to O365/AAD, but no such pop up appears. Progress gets to 40%, claims ‘SSL VPN Connection is down’, then sits on ‘Status 0%’ and doesn’t change until you close and reopen the app.
After much googling, it appears to be a new bug where Forticlient is attempting to use Certificate auth instead of SAML, even when no certificate is specified.
For some reason, specifying a random certificate allows me to connect, which I don’t think it should, but that’s neither here nor there.
Unfortunately it looks like PatchmyPC can’t deploy older versions of software, which is a bummer
Wondering what the next best course of action is - stick with 7.0.8 and push that out to all staff, or wait till 7.2.5 and push that out instead (to save multiple restarts for software not all of our staff will use)
Thoughts? Also FYI I guess, for anyone else considering the upgrade
I use Forticlient SAML with Duo. All was well with Forticlient 7.2.3 but when we tried 7.2.4 we received a 403 error in the Forticlient browser window after completing Duo authentication. We found a workaround of using the SSO external browser setting, but chose to continue using 7.2.3 for now.
We opened a case on this and I just got a reply that this has been assigned known issue 1008116 and is set to be fixed in the 7.2.5 and 7.4.0 Forticlient versions.
Editing to add some info from my call with support. According to my support engineer, the target date for the release of 7.4.0 is May 21 and the target release of 7.2.5 is June 25. Take both of those dates with a grain of salt.
So I had this issue and had to roll back to 7.2.3.
The issue is that the forticlient is trying to use the users local personal certificates to try and authenticate the SSL connection even if you do not have certificates enabled in your config. This was confirmed when I spoke with TAC.
The only other solution is to delete all user personal certificates but that opens another can of worms especially if you have 300+ users.
We found that some users only had a MS certificate and everything was fine. Some users had additional Adobe certs that caused the client to stop working.
Note that this issue is only with SAML authentication. Radius/ldap is not affected as we have other customers that are fine.
None the less 7.2.4 is a bust for me and I’ll be staying away from it regardless.
7.2.4 caused me a catastrophe. How can a company release such a broken software in .4 !? Do they have serious coders/testing? Some of us can lose clients because of a f*ck up like this.
We’re using 7.2.3 very successfully. No issues, so if you wanted to go from 7.0 to 7.2, then .3 will work. Just know they changed licensing in EMS in the version change so you may lose functionality unless you purchase whatever licensing you need for your company.
We’re also using an external browser for SAML auth and I didn’t experience the same issue with 7.2.4 during my testing.
Ok so I opened a ticket with Fortinet Support and their answer is that it seems from a specific version you must specify the SAML GUI flag in the XML for the respective profile to not get the 403 Forbidden error unless certain parameters are met.
I am using Cisco Duo as a SAML provider and I have tested this solution by deploying 7.0.11 on one of my machines and so far it seems to be working. Let me know if it works for you.
I am frustrated that it is an XML flag and not a radio button but its fix the problem but at least it seems to be working.
Because I can’t download anything but the latest version on the public website unfortunately. Our Fortigate boxes were purchased by our last MSP, set up by them, and all I did was put them in a courier bag to each office, then download the VPN client to push out to staff.
Thank you for this. I haven’t tested it, but I think I’ve found how to make this change through the Windows Registry. Provided this does work, this could be configured through a Group Policy Preference setting.
