Which firewall has the best VPN client?

I work for an MSP and we will be dropping Cisco in the near future.

We use Cisco firewalls (with ASA OS, not Firepower) mainly for their excellent VPN client, AnyConnect.

What alternative firewall has the best VPN for end users?

In sequence of importance we care about the following in a VPN solution:

1. Stability (shouldn’t drop the connection at first sign on network trouble)
2. Support for 2FA
3. Ease of use for end-user
4. Ease of pushing new config to client
5. Ease of initial installation

(The reason we are dropping Cisco is primarily because they have become impossible to deal with for SMB. We spend way too much time on licensing and contract renewal.)

Palo Alto is the way

PaloAlto or Fortigate, it depend on your preference, budget and familiarity but both are the same with cisco ASA:

1. We had experience this issue but can be resolved with correct VPN configuration
2. Both support 2fa/mfa
3. If no integration, End user just need to input the server and vpn credentials.
4. If no integration, both are network policy-based so its real-time as long as they are connected to vpn.
5. user just need to run the installer and go back to item 3

OpenVPN hands down the best performer

I can’t speak for Fortigate but have used the Cisco garbage in the past.

Palo GlobalProtect is great. Works seamlessly with Okta for MFA. Client installs and updates are easy. I push updates for the user silently in the background when they log on.

No complaints EVER from any user, except the ones that just don’t have have any clue how to use remote VPN at all.

Very stable all around, not to mention the firewall platform as a whole is amazing.

Support can be hit or miss. I’ve never had too many issues with them, just depends on who you get.

Currently managing a deployment of 60 Watchguards and can confirm ease of use and deployment is top tier. Extremely affordable solutions for hardware, support and MFA. MFA solution is super simple and even comes with an additional benefit of being able to use it for user verification for the Helpdesk to validate end users for password changes via auth pushes. It written on top of OpenVPN so if desired can extend vpn access to mobile devices and tablets. it supports identity portals for SSO integrations and fairly simple to deploy. All the IKEV2 configurations come with a batch file that will auto configure the windows vpn client for secure access and apply the certificate.

Also for security focused individuals, subscription to the Security suite permits access to a Threat Defense (now called EDR Core) agent that can be deployed to all endpoints— it will do basic level threat monitoring on the endpoints as well as serve as an additional layer of security where you can restrict VPN access only to clients who are running the agent (which satisfies a requirement from insurance companies for compliance of only company owned devices being able to access VPN) if you decide to go the full EPDR (which is the same client) it enables an extremely efficient endpoint protection platform (this is on the back of their acquisition of Panda)— it looks at patterns as well as signatures and behaviors and employs a true zero trust platform after a learning period. We tested it with its Antivirus turned on and off against a dirty stick of 20 different malware/ransomware and it caught and prevented all attempts.

There are a ton of features with Watchguard this just scratches the surface

I encourage you to check out Watchguard. They support a few different remote/user VPNs (IKEv2, L2TP, SSL, IPSEC). Far and away IKEv2 is the best in terms of security, ease of use, performance. It’s compatible with with Windows, MAC, IOS, and Android (using third party ‘StrongSwan’ app).

1. Stability.

NEVER an issue. Recent firmware added support for MOBIKE protocol https://datatracker.ietf.org/doc/html/rfc4555
You can lose internet and reconnect, switch IPs, connect seamlessly over different interfaces…

2. Supports 2FA

Allows local database user authentication, RADIUS, and their own Authpoint (MFA). If your 2FA uses MSCHAPv2 it should work. DUO/OKTA/RSA should all work fine. If you use windows NPS and Azure AD I believe you can tie that in.

https://learn.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

To be candid I use Watchguards Authpoint 95% of the time. I’ve also used a couple third party services like MiniOrange Xecurify, but there are integration guides for the major MFA players so I have little doubt they will work.

3. Ease of use for end user

On windows the user clicks the network icon in the task tray and the VPN is presented above the wifi connections/

Click it and type name/pass. You can allow them to remember credential

If you install the VPN for -ALLUSERS on the machine, it will display on the windows login screen. User clicks the VPN, types creds, then it signs into both the VPN and windows. Avoid login script issues etc.

5. Initial Install

Client side

By default the windows installer is a batch file, a certificate, and a powershell script. You just run the batch, it installs the cert and then runs the powershell script to configure Microsofts built in VPN client. I usually just push the cert, and PS script through GPO or RMM tool and call it a day.

Firewall side

Add the radius server to the firewall and you can run through the VPN setup wizard in about 10 seconds. It just asks what public IP/domain name you want to use inside the client, you select your radius server, and then NEXT → NEXT → Finish.

4. Ease of pushing new config to client

The powershell script has two functions

1. Add the VPN config if not present
2. Update the config if present.

If you want to change anything you can update the powershell and just run it again

Two that come to mind are Sophos and Forticlient. Currently working out of a Sophos shop and I got to say the products are growing on me. I come from Fortigate’s in my past and liked those as well. However , I believe they are now requiring additional licensing for the client but don’t quote me on that.

Sophos allows the users to setup MFA, download a config and the client all from a user portal.

Watchguard over forti any day of the week. Our external hosted forti solution sucks big time, maybe if you control your own it may be better but outsourcing ruined our VPN connectivity and we now have little to no control over the firewall. Personally I wish I could have talked them into staying with ASA, it was rock solid.

Watchguard is pretty decent

I will put my vote on Palo Alto Networks with their GlobalProtect VPN client. Their firewalls are second to none and the VPN client just works.

I used to manage Palo Altos and found their VPN easy to manage.

Sure as hell is not Sonicwall.

So - I’d recommend stop thinking about VPN being tied to the firewall at all. Instead, go look for a good cheap firewall (or build your own with Vyos or PFSense), and then look for a good VPN Endpoint tool, either cloud based interconnect like Zscaler Private Access or TailScail, or OpenVPN, Pritunl, or ZeroTier (can do paid or FLOSS on the last 3).

I’d stick with Cisco and anyconnect. I can feel them making a strong comeback 4th quarter of 2027.