Our company will use remote access (SSL) VPN. No any other features of FortiClient are required.
We want to avoid free ‘FortiClient VPN’ software because we want technical support.
However, I can only see ‘VPN/ZTNA’, "EPP/APT’ and ‘Managed’. We don’t want to install any server software on our on-premise server and don’t want to subscribe cloud EMS.
Does someone know which FortiClient license is suitable for our case, VPN + Tech support without any additional features? I will contact a reseller but I want to check it via different source.
there’s nothing much to troubleshoot on the client side and if any thing is still required, I believe the Fortigate support will cover it. They will just ask logs which you can easily provide from the FCT.
The free VPN client doesn’t require FortiEMS (cloud or on-premises).
But, the paid FortiClient requires FortiEMS (either cloud or on-premises) to manage those clients.
There is supposed to be a VPN-only license coming out, but I don’t know if it will be useable without EMS. As of right now, there is no way to manage FortiClient without some level of EMS.
EDIT: Let me expand further onto why I despise this half-baked product.
I have deployed this product in an enterprise setting twice ( 4000~ seats and 10 000~ seats, respectively).
1.) Nobody can troubleshoot it except devs: On both occasions, the installers did not push correctly to all devices. Had to call TAC. TAC clicked the same buttons I did and said “Going to have to make a bug”. Two months later, it was fixed in a new version. Their workaround : Create different AD groups smaller than 400 devices.
2.) It is completely unreliable : Doing the same procedure once, twice, three times does not have the same result: I pushed logging from FCT to FAZ which would forward to FortiSIEM or FortiSOAR, since it doesn’t have ANY integration outside of sending logs to FAZ on what is seemingly on random times even if you set it otherwise. What happened when I pushed this setting the first time ? Only on-prem devices received the update even though it was pushed to all devices. Second time? Pushed to all devices (yay) but removed it on some already existing FCTs ( Booo, confirmed it was a bug in 7.0.1). Pushed it a third time… Nothing happened. At that point I just gave up and waited for a new release, as you constantly have to do.
3.) FortiEMS Cloud has ZERO, NADA, NILCH, RIEN in terms of native cloud integration. You’re simply paying Fortinet to host a FortiEMS server on a shitty Linux server in Oregon. It has no CSP integration and the only way to link it to your on-prem is to open an LDAPS connection to your DCs from your Edge. Garbage. Their DC doesn’t even have SOC2 or any form of compliance so it can’t be used by serious enterprises.
4.) Providing tags form your inventory is unstable One of the companies I mentioned was implementing a hybrid network with a CSP. One of the reason to use FortiEMS was to “evolve” and use “Tags” everywhere in their architecture. Essentially emulating Cloud firewall rules. This sometimes worked like a charm. Other times the IPs would not be added to the dynamic address objects or FortiEMS would quite simply stop detecting the asset and therefore remove the IP from the group.
I could add a couple more points but I have to work… thankfully, not with FortiEMS.
How does that work on Windows 11 ARM? Not so good huh…actually, it doesn’t at all. Nor do they even have a Windows 11 ARM VPN client to install except the crappy MS Store, which tries to use the built in Windows 11 ARM VPN…which doesn’t work…so yeah.
Thanks for the info. After reading comments here, I am now considering to use free client.
If using paid licensed FortiClient without management server is possible, it might be an option for us as it’s better to have tech support just in case (like insurance).
Glad I’m not the only one with this opinion. The fabric stuff shits me especially… Have multi tenanted hardware, can join 5 EMSs and only to root… Cooool.
We switched to fortigate about 6 years ago and have had 0 problems uninstalling and reinstalling didn’t fix but we are also a smaller shop with only 70 employees but all of them have been working partly to fully remote for the 6 years so lots of vpn use.
The main issue is updates. We recently deployed mdm on the mac side (where most of our end users are) and figured out how to get the free installer to update the client in an unattended manner.
Is the ssl client already up and running? Are you having any issues because of which you want to buy the support? I’ve used the free fct for a long time without any issues
Our organization uses free Forticlient VPN, and while it’s not the best VPN in any way, I would never suggest to my director that we spend money on any paid version for tech support!
Heck, I’d rather we sys admins get a pay increase instead since we are largely able to work through and trouble shoot any issue that comes up!