Hi All
Some of you already may know but I thought I would share that Fortinet is going to be deprecating SSLVPN in a future release of firmware so now is probably a good time to look at alternatives such as IPSEC or ZTNA.
Thought it was worth spreading the message.
EDIT - A lot of people think I am referring to the 2GB models however I am referring to it being removed from all models in the future.
I found this talking about deprecating the feature on models with 2GB or less of RAM on 7.6.0, but I don’t see anything for all models. Can you link the documentation on this?
I feel like an idiot here. The only time I’ve used IPsec is for full s2s vpns between locations. If they are removing SSL VPN how easy is it to set up IPSEC vpn for a large number of client devices?
Without a source from Fortinet I’ll call bullshit on this. Yes, the SSLVPN server functionality is disabled by default on 2G RAM models, but I hardly think it’s fully going away.
Fortinet Ztna sucks and won’t do udp. That means no AD. The sase is playing with fire. The sslvpn is trash. But hey we now have ipsec vpn with saml, that is nice. When it works…
I’ve scheduled a meeting with my SE to discuss way forward. Lots of options with no clear direction, but what is being done with SASE is very interesting. ZTNA seems too flaky to me due to being reliant on EMS. Move to Linux based EMS is a good step, but it needs to be a Forti OVA image just like FAC and FAZ for me to put more faith in it.
I don’t think SSL VPN is going anywhere anytime soon. IPsec VPN imo lacks basic features like DNS suffixes, AFAIK you can’t add a domain name so resolving DNS names only works by putting in FQDN. I don’t think they will change SASE to IPsec until these things are fixed honestly.
I think it is better to deploy SSL VPN to terminate on a loopback interface and limit my firewall policies and isdb object rather than IPsec.
Do you have a link to where they said SSL-VPN is going to be deprecated?
I’m pretty sure you can’t do FQDN based VPN policy on IPSEC. Until then, I’ll have to stay with SSL
I have 2 60F with 7.6.0 in testing environment, and i confirm that there in no ssl vpn anymore .
Makes me happy we replaced our fortinet SSL VPN with something completely different about a year ago.
I was told by support that it’s they’re definitely deprecating SSL and they’re pushing everyone to go to IPSec. They just couldn’t tell me when exactly.
in discord someone mentioned that support also told them to move to ipsec
We just deployed IPsec with Ikev2 to a customer and have run into some issues with Android and Mac devices. Android and MacOS don’t appear to support Ikev2, only ikev1. Ikev1 doesn’t support SAML auth, only Ikev2 does. All of this is with the free forticlient.
We had to setup the SSL VPN for mobile clients and MacOS for now until this is resolved. We tried to go without the SSL VPN, we don’t want it but are forced into it unfortunately.
Are you talking about client vpn/remote vpn?
I’ve disabled SSL-VPN entirely three years ago after constant security issues with the WebGUI. We moved everyone over to Wireguard. We still use site to site VPN using IPSec and far as I know that feature is not going away.
I have assumed this a while. Particularly when there are performance issues and after many support cases it came back as “wont fix, change to ipsec”
There there are the many CVEs the past few years and me thinking fortinet have just done quick fixes instead of a full code review and then rewrite / refactor.
We have been exclusively rolling out the IPsec client VPN. Super stable, no maintance required. And less issues.
We can build a forticlient VPN config and just let people import it. It still uses LDAP on the back end.
The only platform this has issues on is IOS, but I don’t belive in ios in the enterprise sooo not my problem.
On a final note, I feel like we have been seeing regular CVEs about the ssl VPN, but none about the IPsec, so I just assume the code base is more stable and secure.
Fortinet SE just told us this same thing a few weeks after selling it to us. Also told us we have to buy an advanced license to use ipsec instead of the standard license we bought for sslvpn.
Good thing then that I was enabling firewall configs earlier for ZTNA…