Is SSL VPN safe to use?

You can use Gmail or any other SMTP server, but you don’t have to. Fortinet runs an SMTP server specifically for this (it’s in System → Settings under Email). Then you go to Security Fabric → Automation and make a Trigger for IPsec VPN tunnel-up/tunnel-down. There is a built-in Action that will send email in Actions → Email where you can set 1 or more recipients. Then make a new stitch with the trigger and the Email action.

You can apply regular firewall policies to inbound traffic for SSL VPN (allows you to use IPS and restrict traffic from threat feeds)

I’ve encountered too many weird problems using IPSec with FortiClient for some reason. It’s always bugs on the endpoint like the virtual NIC driver hanging, requiring a reboot.

Yes but it shouldn’t be ignored either. It should always be included in your strategy but never be the only part.

I’ve seen the option and might be a way of actually getting IPS (and SSL?) back into the mix. I think this is similar to what the local-in policy option is providing in 7.4. I havent checked this yet. Something with time…

IPS is part of the UTM (flow based) , which is performed after routing and firewall policy. See for yourself with the session list and debug flow, it does not do anything with IPS.

Ooh ok will try that thanks

Hmmm good idea, I will have to lab this!! Thanks

In this case, the benefits are not enough: you may choose SSL-VPN mainly for it’s ease of use from about any network where outgoing IPSec traffic could not be allowed and then you change the default port so you lose that possibility.

In other scenarios, the standard https port could not be a requirement but SSL-VPN could be still the solution (our main company asks for SAML authentication) and then I agree, why not also change the port…

Interface policies apply before the traffic “enters” the FortiGate, this includes the UTM profiles on the interface policy. My understanding is that this scanning will apply before even the DoS policy and then after than will continue the regular life of a packet (which may include being scanned again if other flow based inspection is applied in the firewall policy).