I’m considering changing our SSLVPN firewall endpoints over to IPSEC via forticlient due to the SSLVPN vulnerabilities over the past few years. Am I correct in assuming that IPSEC via fortclient isn’t prone to the SSLVPN vulnerabilities?
I understand that one of the main benefits of the SSLVPN is connecting out of more restrictive networks. Besides that, what other downsides would there be moving to IPSEC? I’m just thinking aloud here, and seeing if anyone else is doing this in light of last week. (We use Windows AOVPN for most users, but we keep a few fortigates available as a backup option and for 3rd party vendors)
From what I remember, IPSec RAVPN on Fortinet does not support SAML. That was one of the major things that forced me to go with SSLVPN with one of the clients.
Might be worth considering ZTNA as an option, especially if you want to maintain flexible authentication options. Prerequisite is that you have EMS, however.
We are now proactively working with our clients to remove FortiClient with SSL. Enough is indeed enough. IPSEC not an option as no SAML support with Entra AD - so FortiClient is now dead to us.
Plenty of other options around. A lot of our client base use virtualised Cisco ASA head ends (HyperV/ESX based) and stick them in a DMZ. AnyConnect (Cisco Secure Client) is a million times better than FortiClient IMvHO. But just my opinion (after having used and supported both for many years).