I have mixed feelings about continuing to use SSLVPN with the VPN only version of FortiClient.
I also read a post about SSLVPN being deprecated which adds to the confusion.
I’m now considering IPSEC with native Window 10 VPN and machine certificate authentication. Any feedback on moving to this setup?
Ideally, I’d like to take the responsibility of connecting to the “VPN” away from end staff.
Please share your feedback. I’m interested in knowing what’s going on out there
Whats confusing about it? They are deprecating yes, and making pretty good inroads with IPSec. SSO, 443 Tunneling etc. Yes there are harding guides out there for SSLvpn, but if it’s gone in a few years why bother?
I’d be more inclined to use ZTNA now.
I use it. Works well. There are a few tricks and post-configs you need to do to get it working well, but I have configured it and its reliable.
There are a few items im still working out, just pesky things like improving encryption and such, but out of the box if you use the fortigate Windows native template, it just works.
You will need to change some settings post-config in the VPN network object in windows to make split tunneling/DNS work right, but otherwise its a slam dunk.
There are good hardening guides for sslvpn that I would advise to use (loopback interface, geo blocking and so on).
Ipsec is not the solution in my opinion
Anything but SSLVPN. Most vendors, F included, have been completely unable to produce secure implementations. It’s one 9.8/10 sslvpn zero day after another.
I would move to ZTNA and have IPSEC as backup.
Non one has still yet to give a good work around for so many places in VPN is required but IPSEC is blocked… EG: Hotels, airports, flights etc.
We have enough traveling users that this will be an issue.
If you have a Forti EMS and licenced Clients and you have only TCP Application and no Power User you can use ZTNA. By ztna it is not possible to create Ressources based on Subnets.
ZTNA can only use if you got ZTNA lincense unlike ipsec and sslvpn which is out of the box, rigth?
Any guides that you followed specifically?
My concern about IPSec is compatibility. It often just does not work in guest or hotel WiFi environments, because ESP is dropped. SSLVPN just works in most environments.
This is good advice, follow hardening guidelines. If you have EMS you can also apply an EMS-tag to the policy allowing loopback interface access. This way only allowing „known“ and EMS connected clients have access to the SSLVPN port.
Plus: if using EMS you can deploy VPN connections via EMS and use SAML SSO to deliver auto-connect enabled profiles. Resulting in automagically VPN enabled devices, without user interaction (as long as there is already an active SSO session, eg Entra)
Also keep in mind that SSL VPN will be removed from 2GB RAM models in fortiOS 7.6:
https://docs.fortinet.com/document/fortigate/7.6.0/fortios-release-notes/877104/ssl-vpn-removed-from-2gb-ram-models-for-tunnel-and-web-mode
You can do all these things, and the next zero day (F’s SSLVPN security track record dismal) you’ll be vulnerable to attacks sourced from US IP space.
Do you think the bad guys don’t have US-based IPs to attack from?
Literally IPSEC… And in 7.4+ thev’ve made it possible to encapsulate it in a TCP header so you can change the port used to like 443…
ZTNA also needs 4gb memory and more. Which means your FG must be 80F and above!
Wouldn’t you need EMS for ZTNA? I’m just wondering to be honest.
Fortinet offers IPSEC tunnels over TCP to work around this.
Unless they’re running some other inspections to block your traffic.
Albeit on 7.4.x to start but still… They’re slamming work around together to get people through it. You can also do all this on the smaller units … Oh and IPSEC is actually offloaded where SSLVPN is not.
There are other ZTNA vendors though. Cloudflare is free for 50 users
I sortof pieced together my own solutions/process based on solving one problem at a time.
Biggest ‘gotcha’ with the Windows 11 client was this:
Example: If you set up the IPsec native Windows template in the Fortigate and only have policies that allow access from the VPN to the internal network the Fortigate is servicing; on the Windows client use the VPN wizard in the new metro network tools to configure the client. Once that’s done you need to go into the old-school network adapters screen, r-click on the L2TP adapter you see there (created in the windows wizard,) Go to ‘Networking’ > IPv4 > ‘Properties’ > ‘Advanced’ > DNS Tab > and check Register this connection’s addresses in DNS and Use this connection’s DNS suffix in DNS registration - or split tunneling wont work and you wont have any internet when you connect to the VPN.
If you configure your fortigate with additional outbound policies for internet access in order to filter the clients traffic that will work too, but otherwise connecting to the VPN will route ALL dns and network traffic over the established link.
I have a PS script to do most of this extra work but its 50/50 if it applies properly right now. Still working out the bugs.