We have an old Cisco ASA 5516 that we’ve had for sooo many years now. It is however very slow compared to our needs, and we were a bit fed up with Cisco at this point so we got a new Fortigate instead. The FW itself works fine, and the configuration is a lot nicer than Ciscos interface.
We have about 30-50 VPN users any given day and they were not as happy as us administrators.
We replaced Ciscos AnyConnect SSLVPN with the fortigates equivalent, SSLVPN via Forticlient. The issues the users experience is:
The client is a lot buggier, sometimes hanging at “Connecting” with no apparent reason (seemingly issues integrating with macOS vpn profiles?). Also have issues with timeouts during connection sometimes, seemingly random.
Random disconnects, likely with users who have flaky wifi (not an issue with anyconnect though)
Annoying “Upgrade to the full client to access additional features” banner… We dont want/need to pay for Fortinet EMS, why bother my users with that information? Very annoying behaviour from Fortinet.
The more vocal users want the old VPN back, which I cannot give them - at least not right now. I don’t like to be the enforcer of bad software, but right now I’m stuck with the fortigate.
So, to my question: What is the VPN solution of choice nowadays? Should I pay the 2-3 times amount of money that it would take to get a Cisco box instead of the fortigate? We have a possible solution coming next ye… later this year with Palo Alto instead, we might be able to use VPN there instead. Is that a good VPN option?
Our requirements are quite simple honestly:
We need to be able to allow access to different endpoints for different people in different departments etc (group based)
External authentication provider required (currently using Okta).
split tunnel, split dns
Lightweighty client, not invasive mega-endpoint-manager-system with everything included. We just want to be able to VPN to certain systems.
So… Am I out of touch here? Do I need to look into cloud stuff, even though I get a rash when people say that the cloud is the solution to mostly everything?
I use Fortinet stuff but not FortiClient. Have paid for Ivanti Secure (formerly Pulse Secure, formerly Juniper Secure Access) for years because the quirkiness of FortiClient VPN is just not something I wanted to deal with, and I was willing to pay for a more reliable alternative. Since you really need to pay for EMS if you want to properly manage FortiClient VPN, I view it as offsetting costs to some degree with having to use a 3rd party solution. Yes, you can use FortiClient VPN only for no extra cost, but not a great solution IM for more than a handful of users due to no central management.
IMO, the top traditional VPN solutions are same as they have been for years (alphabetical order): Cisco AnyConnect, Ivanti Secure Palo Alto Global Protect.
The pricing on Ivanti Secure has gotten stupid since they acquired Pulse Secure. I have a hard time recommending these days on that alone even though I’m still a fan of the solution, but there is no way I would continue with it beyond when my existing product can be renewed. I’m on the old Pulse Secure VM series and they will eventually stop supporting it, forcing me to re-buy to the new Ivanti Secure VM series.
Palo Alto Global Protect is free with the cost of the box (physical or VM series) for most of the features. If you want HIPS checks, mobile support, IPv6, split DNS, more advanced split-tunneling rules, clientless VPN, and some other stuff, you need to pay for the Gateway license, which is licensed for the box, not based on users, and it’s a very reasonable cost.
You are familiar with AnyConnect already so i assume you know all the license options for that. If you wanted to go back to AnyConnect, you could use ASAv as opposed to having to buy more hardware.
As a Fortinet admin with five years of experience, I’ve found FortiClient to be somewhat temperamental, especially on MacOS, but it has improved over time. Connection issues are often due to poor internet or the need for a system reboot. While I don’t face random disconnects and we don’t see banner messages thanks to EMS, it’s important to recognize that Fortinet products are more affordable than options like Cisco or Palo Alto Networks. This cost saving does come with some quirks, but our organization finds it a worthwhile trade-off.
We went from Watchguard SSL VPN, to Azure SSL VPN, which went OK (except for the fact that if you close the Azure VPN app your VPN connection might randomly drop).
We’re dropping traditional SSL VPNs entirely now and switching to Cloudflare Zero Trust (after evaluating Cloudflare and ZScaler, we went with Cloudflare given it’s free for our company size, and we already do business with them for our websites).
So far our users have absolutely loved it (it automatically connects for them after the initial sign-in and we haven’t had any random drops or anything), and as an IT person I love it because it also acts to stop malware and other security threats on a DNS and HTTP level.
You installed the EMS version of Forticlient. On the same download page, down farther is the VPN only version. They won’t get the banner
You did not provide any info on which model you installed. How did you determine what size Fortigate to install? Have you reviewed the dashboard for high CPU and memory utilization?
It’s worth thinking carefully whether or not you really want to replace one VPN with another.
The U.S. Government correctly issued an executive order mandating Federal Agencies move to adopt Zero Trust principles just six days after the Colonial Pipeline ransomware attack in 2021. Despite the marketing hype which has followed, if we take nothing else away from this motion, it should be that opening ports in our networks to access private systems using the public Internet is over.
There are much better technology architecture options available now than VPN servers built into firewalls, sat out on the public Internet.
Today there are at least 90 projects and businesses dedicated to building modern private access technologies which allow secure remote connections and access to private networks without opening firewall ports or shuttling all traffic through concentrators. Many are commercial options serving businesses, but there are also lots of compelling open source offerings for non-commercial use too.
There’s a directory of vendors and technologies here https://zerotrustnetworkaccess.info/ which attempts to dispense with some the Zero Trust marketing BS and instead focus on technical discourse, architecture and approach which you might find helpful.
Disclosure; founder of one of the businesses (https://enclave.io) with a commercial interest in this space.
I’m in a similar situation- moving from ASA to Fortiguard firewall, thought I could just roll out the free forticlient and all would be good. Sadly the free version is annoying (no MSI, no clean auto upgrade, weird issues on some machines, warning messages) and the lack of support is an issue.
We’re now trialling the paid EMS version and so far it’s loads better, no issues experienced yet.
For any of your Fortinet-specific questions you could ask over at /r/Fortinet
We paid for the FortiClient EMS so I can’t help with any specific questions. I set up our clients with DTLS tunnels which helped with connectivity, also I set it so they were auto-reconnecting if there was a glitch.
We have FortiClient but decided the main VPN be Microsoft’s Always on VPN and use FortiClient as a backup option. FortiClient is trash for SSLVPN and always has been.
We demo’d the Forticlient through our network provider but apparently the basic client doesn’t support split tunneling. Even if you manually set the routes through something like Powershell, the client overwrites the routes. We would have to pay for the full client in order to utilize that.
We also moved from ASA to FortiGate recently and had similar VPN issues.
We do have EMS, but found that using the 7.0.x version client (versus the current 7.2.x) works night and day better. No random disconnects without a reason, or at least doesn’t prompt about it
If you absolutely just want to still be able to use the AnyConnect client you can always setup IPSEC VPN
Otherwise would just see about setting up Zero Trust and forgo the traditional VPN entirely, only reason we didn’t is because it was veto’d due to MFA requirement for a particular webapp (dumb story, don’t ask)
We went from an old ASA that I thought was old and slow to a new SonicWall that… ugh. Should have never trusted the consultants on that one. I’m actually running some troubleshooting tests for some of the issues on that at the moment despite my having paid someone a pretty penny to install it. (I’m a 1 man IT shop, so paying someone else is relatively common and should be expected. Having to assist in months of troubleshooting is lame though!)
It sounds like you probably have more troubleshooting to do with the Forticlient, but aside from that, keep in mind that VPN solutions don’t have to be at the edge device. You can have a VPN endpoint behind the firewall if you want another solution, such as an OpenVPN/Wireguard setup, a dedicated VPN concentrator, or even the classic RRAS Windows Server role.
Sounds familiar. I spent over 10 years working with ASAs and the AnyConnect client on the 5506/5510/5512, and 5516 models and while the ASA is obviously a dinosaur, you just can’t beat the AnyConnect VPN client when it comes to stability, reliability, and the ease of use.
We finally switched to Fortigates (E and F series) and while the functionality and the UTM/NGFW features were obviously lightyears ahead, the Forticlient is a total POS.
Bugs, bugs, and more bugs.
Constant issues with dropped connections unless your internet connection is absolutely perfect. You look at the Forticlient the wrong way and it will drop connections.
I hate to tell you this, but there is nothing you can do to fix this unless Fortinet finally re-writes their shitty client from the ground up. We tried many different versions and tweaking the settings etc without much success.
If you look at the Fortinet subreddit, you will find that others have the same issues.
I ended up leaving that org and now work at one that still uses ASAs and the AnyConnect Secure Mobility Client and I can’t tell you the last time my connection dropped or the last time a user complained about issues with their VPN connection.
AnyConnect just never seems to drop, it’s able to sustain the connection through intermittent packet loss, and other issues with users’ shitty home connections. I also love how easy it is to upgrade the client, load it up on the ASA and you’re done. Next time the client connects it gets updated…try doing that on the Fortigate.
To iterate what others have said, skip VPNs which are too broad and require punching holes in your firewall and implement zero trust networking. I work on an open source solution (with commercial SaaS too) and wrote a blog in '22 comparing ZTN using Harry Potter analogies… table stakes is to make your assets ‘invisible’ so silly muggles cannot find them - https://netfoundry.io/demystifying-the-magic-of-zero-trust-with-my-daughter-and-opensource/
I feel your pain. We’ve suffered through forticlient issues and now I can confidently say that this is not an issue anymore. Here are some of the things that helped in our situation.
Disconnects often happen at the fortigate level and you should work with the network administrator to resolve this. Generally split routing issues.
Stubborn clients may need to disable IPV6.
As for the banner, you have downloaded the EMS version and should instead download the free version. If your org has a fortinet support account, you can download the correct free version from the support page.
If you have a valid support contract, open a ticket with Technical support for assistance.
Good luck to you. We nearly threw out the baby with the bathwater until we made some minor tweaks to the configuration.
Thanks for your input. I’ve downloaded the VPN Client from the support site, and it looks identical to the one that the sslvpn “site” provides. So I think I have the correct one… or are you telling me there is a version of the client that does not show that banner?