As somebody who manages a Fortinet HA pair, the bullet points are very accurate. Lately we noticed it’s a buggy mess at times.
I’m gonna investigate ASAv if we even have the vpn licenses for that already, if I can transfer them over. That would be a nice solution, possibly.
Also thanks for the info regarding Palo Alto. We are starting working with a new company for assistance this year, and we will get a PA FW for certain parts of our system after summer. So we might be able to switch over to that instead of the Fortigate we use today. I need split DNS though, so the extra license is a must. But I will certainly look into it.
Fortinet admin 3 years. This is the takeaway comment. It’s not near-perfect like Cisco but employees get used to the minor nuances after a while. Good internet and wifi connectivity, and rebooting. We use free version like OP and understand the trade-off for a ‘free’ FortiClient product and perpetual licensing. Latest 7.2.2 has been running much better.
Cloudflare man in the middles the traffic . Gets all the traffic
Interesting. We are not an azure shop, we host almost everything on-prem. But I like Cloudflare and will look into how it could suit our needs, if even possible…
VPN only version also has a banner across the top
That is very good information, regardless of your commercial interest. 
I’ll take a look. I briefly looked into Fortigates ZTNA thingy but it required Forticlient EMS licenses in addition to what we have, so I went with what I already knew. Your point is good however, as I already suspected when I created the post - I need to get updated on what is the best solution for today, not for 15 years ago.
Good point, I might head over there
That’s not accurate though. We have the basic version that comes with a Fortinet firewall, and we have split tunnelling and that part works just fine.
Setup split tunneling on the FortiGate SSL-VPN Portal
Have you looked at something like Azure App Proxy for your web app? It’s pretty easy to deploy and allows you to MFA anything you like with a conditional access policy.
You can suppress the banner (and even preconfig connection info) fairly easily. Are you deploying the agent to your devices using an RMM of some sort?
“Connecting %” is weirdly the method Fortinet uses to determine errors. Yeah it’s weird.
You can do everything your looking for with a Fortigate without special VPN licensing. I recommend the SSLVPN client over AnyConnect.
d*ng; slated to replace ASA with Forti within weeks.
So does any other security web proxy service.
Cloudflare works with our on-prem stuff with no issues.
There’s a lot to chew on, but I’m glad to hear that directory might be helpful. You’re welcome to message me if you want to chat. Good luck!
Possible our provider just misconfigured it then. I know that we would have the routes configured in the client and it wouldn’t set them when the client activated, so I attempted to work around it with Powershell when the client activated.
Almost all of our users were instructed to login to the vpn site over https to download the client, which then displays the banner. If you have a solution to hide it, I’d be very pleased!
Your provider misconfigured it. It’s trivial to be split tunneling.
You are correct that trying to correct the issue on the endpoint via route control isn’t going to be a good solution.
Your deployment leaves a lot to be desired. You are going to have different versions over time, they will have to manually configure their VPN endpoints etc.
You need some mechanism to handle deploying reg keys to control the user experience.
HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\Sslvpn\Tunnels\$tunnelname
We use the below config.
promptusername 1
server $URL:$port
ServerCert1
sso_enabled 1
promptcertificate 1
To suppress the no support checkbox simply clear the below key before the user runs the app.
HKEY_LOCAL_MACHINE\SOFTWARE\Fortinet\FortiClient\RunOnce