Hey all. We’re looking to move into a true SASE ZTNA product. We’ve been looking at solutions like zScaler’s ZPA/ZIA.
An MSP we partner with said they’ve had good experience rolling out Aruba’s SSE ZTNA product. That wasn’t even on my radar. We use other Aruba products, but didn’t know this one existed. Does anyone know if it was a recent acquisition/home brewed? How long ago? Anyone have experience building it out?
we use it internally and we implement it with customers. We also do Palo Alto and Forti.
It’s super easy to setup and use, and I mean super duper easy. The UI is fast and modern, it’s great.
The features are not so great, there are some missing features (like actually being able to see your license usage in the management UI). Also some security features are lacking compared to the others. But if you want simple and easy ZTNA (which is what we need) it is great.
Palo and Forti are by far more complicated to setup, we can setup a new customer with Axis in under 4 hours. With Entra ID integration, ruleset, connector installation, and testing.
Just learning it, so far it’s simple and super flexible. Seems as though the troubleshooting tools are pretty awesome too
The Axis Security acquisition happened last year.
I have only seen demos of it and it seems fine.
they are niche player
go with Forti or Palo
Forti is unfortunately who we’re coming from. VPN via EMS and it’s been a disaster and expanding the use of it doesn’t give me the feel-goods. I trust them with firewalls, but no longer client access.
Niche player is an interesting take, given they have one of the better NAC solutions on the market. But sure niche player.
ZTNA should eliminate the VPN issues with FortiClient. I had issues using IPSec VPN with FortiClient but I hear SSL VPN is supposed to be a little more solid.
I’m rolling out ZTNA with Forti here in a few months to replace Cisco Anyconnect so we’ll see how that goes. Was looking at Aruba but it doesn’t really make a lot of sense since ZTNA is included with FortiGate and FortiClient.
What’s been your biggest issues with VPN and EMS?
We are currently exploring FortiSASE now as we are already on FortiClient and SSL-VPN.
ooof
but having used HPE products for 15 years, I would not trust them to hold a door open, except very basic switch.
We’re going the other way. Been using SSLVPN but having trouble so we’re spinning up IPSec as a secondary option for users. Note that we’re still on 7.0.x, haven’t made the jump to 7.2 yet.
I wasn’t thrilled about Forti’s ZTNA stack. Vendors like Aruba and zScaler have datacenters all around the world that act as a zero trust exchange, which the client connects to. Meanwhile, a connector living on your network also builds a connection to the exchange. The ZTE then builds little routes back through the existing connection to your network based on user identity and permissions. So the ZTE acts as a security boundary and access boundary. One advantage is that none of the infrastructure needs to have public IP’s - all connections from your network are outbound only. Another advantage is all network traffic from that client is routing through the ZTE’s security boundary, so you’re also protecting all of their internet traffic, like a full tunnel, without that internet traffic having to run back through your firewall or VPN gateway.
Fortinet doesn’t work like that. The FortiGate is the “ZTE” and still needs to be reachable for incoming connections. It can be set up a couple of ways, either by still using a traditional VPN and applying tagging for granular rules, or a ztna access proxy that’ll proxy HTTP and TCP traffic over HTTPS connections with the client without tunnels.
I think using Forti as the ZTE is how they’ve been able to market it as a ZTNA, while keeping the cost 50+% lower than the cloud SASE products. I’m in a position where if we’re going to be spending a ton of time setting this up, I want to look at something that doesn’t lock me into specific hardware or introduce network bottlenecks. The Cloud SASE seems more scalable.
FortiClient with SSLVPN has been a tumultuous rollout. We started in 7.0.6, had issues with regular clients disconnects, clients not connecting, and bluescreens. Upgrades to 7.0.8, 7.0.10, 7.0.11 resolved some issues but brought on others. 7.0.11 is probably the most stable, but still not a great experience. We have to do things like manage multiple client groups because, for example, DTLS works for some people but not others.
We haven’t made the jump to 7.2 yet, due to horror stories I’ve heard with SAML breaking in the later builds.
I’ve deployed Aruba kit for a number of years. Switching, wireless and NAC are solid. But you do you mate.
That’s partly why I asked whether it was an acquisition. The Axis product looks to have a pretty solid reputation. We’ve also used SilverPeak SD-WAN (now owned by Aruba/HPE) and it’s still pretty top-tier and HP still does a good job supporting it.
I’ll definitely check out Palo Alto too.
Ugh that’s disappointing to hear you had issues with SSLVPN I thought that was supposed to work better. The issues we had were forticlient would hijack the windows DNS settings to use our internal servers and not change them back upon disconnect. So then clients would lose all internet connectivity including our remote access tools. It only happened to a very small percentage of users but it was a huge issue when it did happen. Things did get more stable in the 7.2 releases.
Those are some good points to consider. The FortiNet option is scalable with their FortiSASE solution so even if we started with the ZTNA routing through the FortiGate we could expand to their cloud service and it would route the same way that Aruba and zScaler do (based on my understanding of the demo they did for us).
Due to certain compliance regulations we must follow cloud services can be difficult to get approved for us to use, so for us having it all go through on premise is a benefit at this point. Currently VPN routes ALL traffic through our network but I’d like to get it to where only traffic to on prem services and whatever CASB rules we set up route through our network and everything else goes out direct. I think endpoint protection, windows firewall, and web policies are decent enough protection for non corporate traffic. We don’t have enough remote workers anyway for bandwidth to be much of a concern.
We do have Aruba switches and are planning to go with their wireless soon. We will probably end up with a gateway for dynamic segmentation as well so at that point we’d have the hardware to support the Aruba ZTNA if Forti proves to be unsustainable.
I haven’t seen many negative reports of either Forti or Aruba ZTNA but people tend to speak more highly of Aruba. I love Aruba products and I hope the Juniper acquisition results in them getting a good firewall option. I also really like FortiGate firewalls aside from their VPN, not sure why that part can be so finicky. I might investigate using the built in windows VPN instead of FortiClient until we get ZTNA figured out.
Interesting.
We’re on 7.2.7 on FGT and 7.2.3.0822 for Client.
Had some issues in the original rollout (moving off Anyconnect) and then when moving to SAML (EntraID) but we’ve seemed to hit a stable path for the last year or so.
We’re looking at SASE to actually get most of our users off VPN (to our hubs) as most of them don’t need to reach internal applications on a daily basis. Phase 2 would be to implement SPA for those that need access to internal applications and phase out VPN other than for power users.
If I remember correctly from the workshop I had on it. It utilises the silver peak sd wan and you can integrate clearpass for NAC as well
Thanks for the additional information. I forgot about FortiSASE. I wonder how the pricing would come out compared to the most established vendors.
You can connect to any IPsec device, SilverPeak is just used as example by Aruba. The Axis solution is pretty much vendor agnostic, maybe that changes in the future, but not yet at least.
