My company decided to move all fortinet and one of their projects is to establish remote access VPN.
I’ve seen that fortiClient VPN is not the greatest, and I’ve even told my company I could deploy another vpn app that is more reliable (like wireguard).
My company is against open source or really expensive VPN solutions, so i’m a bit stuck here and I’d have to make it work with FortiClient VPN.
I’ve already deployed it for only me as the remote user, but i’m not sure how good it is when deploying it production wise with 100+ users. My Gateway is an 100F HA.
We have had really good success with Forticlient with EMS (definitely get the EMS licenses). We see reliability being more of an issue with internet connections and less an issue with Forticlient.
I’ve been using/deploying/overseeing FortiClient since 2007, so 17 years and while it hasn’t been exactly what I’d call smooth sailing, I’d say it’s as reliable as AnyConnect or GlobalProtect or anyone else’s managed VPN client. Most of the time when something doesn’t work, it isn’t the client itself causing the problem.
Under no circumstances should standard, open source wireguard ever be considered for production use.
EVERYTHING is manual. IP address assignment, key assignment, key rotation, key revocation, EVERYTHING. It’s a small scale amateur hour solution.
A product that uses Wireguard as a building block is far, far more acceptable. I’m talking about things like Tailscale here - they take care of all of that for you and give you a centralized dashboard for it.
EDIT: Netbird is similar to Tailscale and is also build on Wireguard
For 100+ users you definitely want EMS. You can also take advantage of the ZTNA tags in Forticlient for your firewall policies and EMS will also forward logged in users to the FortiGate so you don’t need the FSSO collector.
FortiClient is decent for VPN and it’s easy to set up with the FortiGate so I wouldn’t look for a different solution just because you’ve read people have problems with it.
yes forticlient is more susceptible to packet loss for the users ISPs. Use EMS and it’s not bad to deploy clients and keep up with it. I’ve been using it for several years with no major issues or hurdles.
“Pocos problemas”, “Es excelente” son todo lo contrario a mi experiencia en 2 empresas. El EMS es tan intenso que termina rompiendo rigidos, imposibilitando inclusive actualizaciones de windows, las mayoria de barrisos y tareas necesitan de una accion manual, el deploy de clientes y actualizaciones fallan en demasia dejando el sistema abierto a vulnerabilidades de manera constante.
La VPN es extremadamente suceptible a perdida de paquetes por ende en el interior falla el 20% de las ocasiones ( lo cual es, logicamente pesimo )
Realmente dudo de la honestidad de todas y cada una de las personas que calificaron al servicio como algo siquiera aceptable.
We started using Fortigate firewalls a few months ago, and we rolled out FortiClient with EMS for IPSec VPNs. So far we have had great success, only small issues with people having poor connection issues with their ISP.
The FortiClient is a good choice for us as it also handles web filtering and logging, so even when our users are not connected to the VPN it will restrict access to blocked sites.
We use FortiClient with EMS for more than 5 years already and yes, there are sometimes annoying bugs but as long a version has no security issue you can stay on an older version too. At least with SSL VPN my experience is by far better than e.g. OpenVPN, Cisco Anyconnect or the Zyxel Client. With IPSEC VPN i’ve no experiences so far with Forticlient VPN (need some features not supported with FortiOS 7.2.x).
Even during pandemic lockdowns where ISPs where often heavy overloaded and internet links awful it worked pretty stable with disconnects only when you really had some timeouts.
For management i would definitely recommend EMS, the 7.2.5 version of the server rums smooth for me. Upgrade of the clients was sometimes a little issue but mainly with pre 7.2.x Versions - they finally made the client really “Update” and no longer uninstall, reboot, install new version.
My experiance with Fortinet support related to the vpn really sucks, the support guys not even interested to arraneg call back to customer to resolve the issue. what i notieced is they just email back and forth and wait for a reponse. basically they just try to close the case… no joy with fortinet support for a serious issue with forticlient where its not even prompting for the creden or 2FA after a succussfull login… such worst support from fortinet. its my own experinace with fortinet.
In terms of the clinet stability, the application is very heavy, and we had loads of issues
we are using forticlient EMS & GSLB for the load balancing; geolocation is sometimes not working too.
With forticlient vpn, upgrading to a new version to remedy some sort of bug has always resulted in some sort of new bugs. I would give it a really average rating.
How come there are always mixed opinion on this questions. I have tried deploying an always-om/prelogin Forticlient deployment twice (6. and 7.0 versions) and have had countless issues with connectivity and stability. (No to mention that captive portal detection and lockdown (basic feature on many VPN client for years) were just released in the pas t few months. I am genuinly curios in knowing how people are setup that that they such an painless experience.
The general quality is very good, as in the connection is usually solid and it just works when you’re connected to the vpn. The bad reputation comes from CVEs regarding sslvpn on fortigates. There hardening guides and best practises you can find on Google and I would advise to use them (local on policies, loopbsck interfaces and so on…).
If possible it’s also good practise to use a dedicated fortigate (or cluster) only for sslvpn, so that if CVEs are published, you don’t have to update your general firewall, but only our sslvpn gateway.
Regarding ems, I would say it highly depends on the number of users and general requirements you have. It doesn’t make sense for a small office with 10 employees for example in my opinion
I’ve had no issues with stability, but like most any remote access solution it’s only as stable as the connection you are connecting from (whether that’s WIFI or ISP)
Where I’ve had issues is some of the newer clients 7.2.x and higher. I’ve had incidents where it wouldn’t connect at all no matter what. Destination unreachable as if firewall side is down etc.
Uninstall and install version I know always works and has become my defacto known solid version to tshoot against (7.0.10) and viola, connects instantly. Its anomalies along those lines I see more with forticlient versus connections that establish being unstable. If it connects it’s been solid. Also implementing things like radius auth, or SAML, DUO, fortitoken are all simple and straightforward