IPsec over TCP is coming for FortiClient, so ESP being dropped won’t be an issue.
I thought most of the time these days, it used NAT-T which tunnels it through UDP port 500.
This is shocking. We have many customers that are using 60F and below. All have been using the SSL-VPN for years. How possibly did Fortinet decide to remove it before making any statement!. Surely, we dont have to upgrade 7.6.x but this is not a way to solve this problem. I am too disappointed.
Did I say you’re safe hardening your sslvpn anywhere?
It’s still good practise to do so, if you rely on it.
Yes, you need EMS because EM is the root ca for the Client certificates and you configure the ztna Tags only on EMS
It’s good to know now. However I hope it’s still compatible with other services running 443. As again many places block anything not 80,443,53 etc.
Sounds like you are using IKEv1 version? I heard Windows will switch to IKEv2 soon and drop L2TP.
No. IKE uses UDP/500 and NAT-T uses UDP/4500. Both are often not allowed in guest networks.
Low memory models have issues with proxy features and stuff related to encryption/decryption. Thats the official reason I guess, but if ciurse fortinet is als trying to make some money
Don’t use 7.4.5 or 7.6 on a 60F or lower Model. Keep the recommended Version from Fortinet, 7.2.x
It’s about forcing companies to spend money on features. VPN is to become a paid feature. Fortinet doesn’t make shit off hardware. They are moving most everything to SaaS. All security vendors are doing it. Just wait until it becomes a monthly subscription model for security features and where the hardware is leased and not purchased.
I thought that for CA you need FortiAuthenticator? I’m so confused. Can you do CA using EMS only?
I’ll be happy when they do.
I totally agree that resource lack of FGT below 60F causes performance issues. Even though, Fortinet can define a limit for SSL VPN users for exp. supported up to 25 for 60F and below models instead of eliminate the feature. Thou, it is easy to do that. Our customers are going to ask why we bought this device if it doesn’t support SSL VPN any longer. How should we response this question. This puts us in a very difficult position when we deal with the customers.
And what do you do if a zero-day happens and you have a gun to your head to update … It’s either update and kill off your SSLVPN or don’t update and be exposed.
They have you by the short and curlies.
That’s something you can do already. You can break down yourself fortinet licenses to a monthly subscription if you like and you can already lease yourself hardware. What are you guys talking about?
ZTNA use primary Device Authentication and the root ca for this Client certificate is only the EMS
That’s true, but nothing you could have known before hand and also nothing you can do in the future except upgrading the fortigate or not going to the these firmwares
The restriction is on 7.6 only right? Which is still a few years away to mature. You got at least 2 years of advanced warning so I dont know what you would expect more. Can just keep the customer on 7.4 until the hardware renews?
Also SSL VPN being deprecated is due to it being unsecured. You want to migrate to IPsec eventually as the feature matures and on par with SSL VPN.