I saw someone mention in the networking subreddit that Fortinet is bad for Remote Access VPN. Is this true? Are there any caveats with certain hardware models and the VPN client connectivity for users?
As always, competency of the people implementing the technology matters significantly.
I’ve got a few clients who have field users using Mobile Hotspots with 0 issues.
I work for a MSP and we started the switch from Cisco ASAs to FortiGates sometime in 2018/2019. Can’t remember when exactly. While FortiGates are absolutely awesome when it comes to NGFW stuff, FortiClient SSL VPN is not the greatest substitute to Cisco AnyConnect. I am going mostly from user feedback and my own experience using FortiClient VPN for about 2-3 years now.
Experiences mentioned below are from mostly using default settings on both. I am sure that tweaks are possible to mitigate or resolve some issues:
- Cisco AnyConnect DTLS appears to have significant performance impact while FortiClient’s DTLS doesn’t improve VPN performance by much
- Cisco AnyConnect has a better recovery mechanism to keep VPN client connected to VPN. FortiClient VPN does not tolerate internet connection issues.
- FortiClient (even VPN only) is considerably larger application than Cisco AnyConnect.
With all that said, FortiClient VPN has some advantages over AnyConnect:
- FortiClient EMS is in my opinion far better than AnyConnect Configuration Tool / profile editor.
- Ability to save VPN profiles
- FortiClient is more versatile when it comes to both VPN and security options
Is FortiClient sufficient substitute for Cisco AnyConnect VPN? Yes.
Will end users be thrilled by the change? Probably not.
I’ve a lot of clients in the 1000 to 5000 user range with all of them increasing their remote access usage significantly for wfh during covid:
a. the FGTs didn’t blink an eye with the increased workload
b. general performance was/is very good and we very seldom hear of connectivity issues except for where the underlying connection is poor
Granted FCT is not the easiest app to deal with, and especially versioning can be big problem, but if you can get around these issues, it works fairly well. FCT’s security features are also pretty good.
The authentication/authorization could use a rewrite to achieve feature parity with PanOS Global Protect. But not being able to get support for it without using EMS is a huge negative and a deal breaker for a lot of our bigger customers.
About 10% of our users suffer of huge problems because Forticlient suddenly disconnects several times a day. Sometimes it tries to reconnect automatically, sometimes it stays disconnected until user reconnects manually.
Forticlient seem to be much more sensible regarding slight instabilities of underlaying Internet connection compared to Cisco AnConnect. This could happen especially when using WLAN at home to connect laptop to internet.
One reason for the instability problems could be (I have not verified it), that laptop tries to use best WLAN connection and switches automatically from 2.4 to 5 GHz which causes then Forticlient to disconnect.
We are using Fortigate 600E (6.4.8), Forticlient 6.4.4-6.4.8 (only SSL VPN in tunnel-mode) on new Lenovo Notebooks with Windows 10/11
That’s not been my experience, our ipsec VPN connections thru Forticlient & a couple of 100D’s has been solid, for 4 or 5 years now. We typically only have 3-4 concurrent users, more mid-pandemic but even then I didn’t notice anybody struggling. Any issues I’ve had to investigate end up being on the user end, high latency and/or low bandwidth with their ISP. If your internet sucks, I can’t help you.
We also have a handful of site to site VPN’s set up & again I’ve got no complaints, good bandwidth & rock solid. I better go knock on wood now…
We moved from anyconnect 2 years ago and found the forticlient works OK but not as good as anyconnect. Comparing cisco firepower and FortiGate the worse VPN client is so worth it. Firepower is a dumpster fire.
We have people connected to days without issues as long as they have stable internet. However, some people get kicked off daily. We also found checking Always UP when connecting with send a keep alive and will reconnect. This works great, but this is only in the paid version and the user has to check it every single time.
Forti’s are really good actually. But, perspectives may differ according to which tech they used previously and of course, implementation. We use the teleworkers and Forticlient; the U24JEV teleworkers are seamless, client can be wonky but generally very reliable if the policies are correct; we have daily all-day users who never have issues.
At my primary job we’ve been running FortiClient SSL VPN for the last few years.
For the most part things have been stable. Most connectivity issues I’ve seen fall into a few categories.
-
Home internet issues, mostly seems like Comcast users, experiencing random disconnects. Rebooting router and modem seem to resolve
-
Home security products, especially McAfee cause problems
-
Not setting the connection timer longer than a normal work day, causes users to be disconnected after exactly 8 hour
I’ve got a couple small clients on the side that I’ve got running 60e/60f and they’ve had no issues at all.
The only issue I have is with Fortinet support shutting down any support case around remote access VPN as soon as they find out you’re using the VPN only client. It’s a requirement when using a feature of the fortigate you’re paying for, but they won’t even investigate to see if it is a fortigate issue. Not everyone has the luxury of being able to invest in technology as an ecosystem the way Fortinet would like us to.
Layer 8 issue is always a possibility
I use one for 8-10 hours a day without issue
We sometimes have issues with very low bandwidth users not being able to connect at all, but other than that no more issues than when we had Cisco VPN.
Some platforms are easier to configure and deploy than others, but I don’t really hold a brand above others. In my experience a correctly configured VPN (YMMV) is rarely the root cause of reported problems. It’s more often issues related to overall connectivity or just idiotic use cases like on-demand viewing of 2GB image files. C’mon, it was slow on the LAN.
This is probably one of the biggest obstacles in IT. So many people say x is bad. they just have no idea how it works, let alone knowing how to deploy a good solution with it.
“Will end users be thrilled? Probably not” I don’t think they’d be thrilled with any connect or anything else, “just another thing IT is changing”.
- Cisco AnyConnect DTLS appears to have significant performance impact while FortiClient’s DTLS doesn’t improve VPN performance by much
ehhh I agree on most of your other points besides this one. I was hitting 100Mb/s without DTLS on FortiClient but with DTLS I was saturating 500Mb/s circuits.
Same issue here on multiple 200e, 6.4.4 - 6.4.8
Tac has been zero help other than buy ztna for support which we did then had the same issues and they just still can’t find a fix. Users constantly have VPN issues where they lose all internal network routes but the VPN still shows connected.
Same here, FortiClient is really, really unstable on our Lenovo Notebooks. Multiple people experience daily connectivity issues. FortiNet should really fix the client…