Keep in mind you have to actually also lock it down in the Local In policy, not just “not use it”. If it’s not exposed on 443 at all, you’re (usually) solid.
Packet loss isn’t often the problem, but SSL-VPN sessions will be dropped and VOIP stuff also doesn’t like it.
Yea most of my customers are HA but they still only allow me to do upgrades on weekends. Upgrades are supposed to be taken off my plate/split up since I’ve been doing them almost weekly for 2 years, but hasn’t really happened yet.
over 300 firewalls here. at least only 2 had the VPN enabled, so at least there’s that. The vulnerabilities are a nightmare, every time we have to patch for one SO. MANY. BUGS. Several occasions we’ve had to roll back and find workarounds because we just can’t work… from routing issues to traffic just vanishing over VPN tunnels. I’m kinda done with them, would swap to something else but man, we’ve got like 2/3 of their product stack so it’s going to be a nightmare if we do.
Even most partners don’t.
Depends on your relationship with Fortinet, but generally no.
Which is strange. With the last SSL VPN vuln my company received the advanced notification and had the patch installed day of disclosure. This is the first time I’ve heard of this one
It varies. But yes, advanced notification is not a standard service. Normal disclosure applies to most customers.
Write up may come out later. Last blog write up came out several days after the PSIRT notification…
I’m on fortimanager cloud which is only at 7.2.2, there is no option to upgrade to 7.2.3
Agree… And it’s a process I appreciate. All I need to see is a sudden drop of updates across all major versions to know that something’s up and that I need to patch ASAP, don’t need more detail about why initially.
We used to get head’s up that we needed to patch from our SE re. features we needed to worry about, but that hasn’t happened in years.
I guess this does make sense. But it is well known already through third party channels. And the people following the fortinet IR advisories don’t get alerted about it.
Have you tested it? Because right now, the CVE isn’t on the IPS signature list, so how can we know if they pushed/fixed the issue on release > 7.2 with virtual patching enabled? Because if they pushed it 1 week after the CVE has been released, it make no sense enable the virtual patching.
Someone have more information about that?
I agree, but public perception is weighs a lot for those that are above me paying for the product.
Fortinet is already being dragged at local security events because of all the recent issues.
I like Fortigates and still recommend them but they are having issues as of late with firmware stability and VPN vulnerabilities.
try explaining that to the panicking CISO that’s on my ass
Actually, it’s up there now…
That is indeed a problem. We use SSLVPN scarcely. It has a big performance impact, so we use it just for vendors and ad-hoc work. VOIP we don’t struggle with, but if you do like proxy stuff, I get that.
However, that’s still a small problem that requires reconnect, vs security updates that is gonna give someone root on your appliance.
That’s just until they get ransomewared 
after that patching is any time necessary 
Honestly, depending on your needs and use case I would say Palo is pretty much the only other major player these days. And I can tell you - they’re not much better when it comes to stability and bug finding and remediation. And I definitely think Forti makes up for this with a better price point, and ease of use and upgrades.