As title or is it scaremongering?
I’m just going through a process of migrating 100’s of users to Fortinets SSL-VPN. It’s all running great but I’m wondering if I’ve made a mistake.
I keep seeing random posts advising that Fortinet are not going to continue with it and it’s actually been removed from some models of Fortigate?
Surely they can’t pull it as the EMS is so tightly intertwined with it?
Thanks
It will only be removed from 2GB models and tabletop models.
IPSEC VPN also works with FortiClient(EMS) and SAML auth, so that’s a good alternative.
EMS Primary function is managment of FortiClient full suite, including the endpoint protections it offers via web-filtering, application control, such, part of that is also the ZTNA solution consists of FortiGate-FortiClient-FortiClient EMS suite. I guess they expect you to move to ZTNA if your workload is TCP based, or use IPSEC with the FortiClient EMS if you need Full VPN Tunnel.
IPSEC is open standard so less “can go wrong” with it compared to the proprietary ssl-vpn, the downside of ipsec is that sometimes, necessary ports are not open, where ssl-vpn uses TCP/443 which is always open on any guest/public network.
Anyway, SSL-VPN is still there on 7.6, they dropped it on all 2GB RAM models like 60F. but higher end models still support it. it’s just that the whole market shits away from ssl-vpn in general, it’s not a fortinet specific thing.
Just on small units with only 2g of RAM. Even the brand new 50G only has 2G of RAM…
What FGT are you running?
I haven’t seen a consistent info so far - at first it was told that sslvpn won’t be there on a 2gb models (like 40f/60f/30g/50g), then it was updated that it will be ditched on all the desktop models (including 90g (?)).
Then some said that feature will remain on 70f and 80f…
So go figure.
But it is quite clear that 2gb models 100% won’t have sslvpn going 7.4.4+ and 7.6+
So I just happened to have my monthly tag up with my Fortinet sales rep and SE… What I was told was that starting with 7.6, SSL-VPN will no longer be available at all on any of the models using the SoC chipset. On all the other models, you will have to go into the cli in order to enable it.
As others have stated, for at least 7.4.4+ and 7.6, any device that it the 2GB model, ssl vpn will not be available.
They are supposed to be sending me some supporting documentation.
I think there are rumors, Fortinet has not officially announced any plans to discontinue SSL-VPN services.
It is definetly being de-emphasized. IPsec is more secure.
What is the minimum model that will have greater than 2GB of memory?
Not a mistake. You’ll be 2 years until you get to a version where they start doing this, and only on the lowest models — so you won’t be on those with 100s of remote users.
The good news is, when the time comes, you just change the profile on your EMS server for all the users, and bam — they’re on IPsec vpn within a matter of minutes for the whole estate. …you are using EMS, aren’t you? Silly if you’re doing this machine by machine by hand — you’ve wasted more $$ in labour already than the EMS would’ve cost for years of licensing.
Bruh is like they want us to run from lower models… smh
My TAM has inferred that Fortinet will be focussing more on IPsec in the future. Likely since they can now tunnel IKE over TLS, there’s really limited need for SSL VPN anymore…maintaining a proprietary protocol, when they can just encapsulate key-exchange in a common port+protocol to get around NAT-T and port-restriction issues.
They also now have SAML in IPsec tunnels, and require-ems-sn. Granted, some of these are windows-only, but the writing is on the wall, and Fortinet seems a bit more intent on getting to feature parity across the major OS’s now, too.
I shotgun-moved my whole org from SSL to IPsec a couple weeks ago due to issues with SSL VPN. AMA.
They want people moving to Zero Trust/SASE or IPSec because their interface is vulnerable. It gets hammered with logins and can drag the device down.
I’ve been told in 7.8 it will be gone on all models with only sse version remaining
I think we will see every major security vendor dropping ssl vpn in the next few years. The software stack is too complex to maintain securely, we are seeing multiple major ssl vpn provider critical vulnerabilities each year.
IPsec is super old but very well tested, vulnerabilities for it are super rare in comparison. Really zero trust is probably the way forward but it is way more complex, let’s find out? 
Com Update last Week. But i think there is a mistake by side forti se. I has read the 7.6 Releade notes Version July 2024. In Release Notes the Information SSLVPN remove from Models with 2gb Memory or lower. Tomorrow i get a 70 and 80f for Test, i will see after Upgrade
God forbid they add wireguard….
If they use wireguard, that will be cool.
@busybok do you realize VPN technology is over 30 years old?
IPSEC as in IPSEC over TCP like we had 15 years ago on the ASA? or IPSEC over UDP (nat-t)
not sure ESP 50 is going to be open any where we travel to.
thanks!