so, I got the impression that many of you on this sub are migrating from SSL VPN to IPSEC VPN for remote access due to recent CVEs and Fortinet giving off the impression of preferring IPSEC VPN as well (removing it from smaller appliances, etc.).
Thing is, most of our customers (not necessarily using FortiGates even) migrated to SSL VPN years ago due to specific reasons, for example:
- IPSEC RA-VPN not working well in public places/hotels because it is usually blocked there
- IPSEC RA-VPN having problems with home office users that are being NATted from native IPv6 to IPv4 which in some cases breaks IPSEC
SSL VPN being much more robust in those cases. What’s your take on this? Just interested to see different viewpoints here
Fortinet is moving away from SSL VPN due to the vulnerabilities. They are moving to the technique ZTNA. I would keep your gates to the recommended firmware and update when vulnerabilities hit and POC the ztna setup
We will migrate from SSLVPN to IPsec as soon as Forticlient will support either external browser for Azure SAML auth or when Forticlient finally caches user credentials and MS login tokens. Otherwise, clients would have to login providing username and password and MFA code every damn time. On SSLVPN you can at least use external browser for auth, where the MS login is stored.
Answer is simple. Fortinet cant write secure code regarding sslvpn. They are multimillion company, they are greedy. Why cant they implement OpenVPN which is opensource and works very well? …
I had my fair share of fun with IPsec based vpn (based on Cisco), also with the ugly hacks for using udp or tcp.
To be honest, I don’t understand which is the security problem conceptually with ssl vpn aside from the inability of the current popular vendors to have a secure web server in their boxes running on a proper operating system providing isolation between the components.
I mean the ones that survived the firewall competitions are the ones that mostly favoured performance over security, so we get the outcome now
It’s more that those libraries have to be adapted to the custom FortiOS kernel, so patching stuff that is highly targeted and partly open source (so high frequency of code reviews) is tiresome with the speed things got to lately. I presume that’s why they go to user space wad based stuff like ZTNA.
Nop. Was testing something like 7.4.1 client - all was good with UDP, but when switched to TCP, I didn’t even see an incoming traffic from the forticlient.
Things that relates to conversion from ssl to ipsec is really a rough rouad :(, just used to this and just assumed that stuff is broken on the client side.
On the good note - FTNT is focusing for conversion both with fortigates and sase and I believe they will get there eventually.
If you are not going to use EMS to do the tagging what device do you add it to? FortiGate, FortiWeb, FortiSASE (bad example it includes EMS), FortiProxy? Now the agent on the endpoint needs to be aware of all the application proxies it might need to access and the only way to get that information distributed to the endpoint is some centrally managed system and we are back at EMS.