Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
JNDias
Staff
Staff

Created on ‎05-31-2023 02:16 AM Edited on ‎03-03-2025 03:26 AM

Article Id 258665

Technical Tip: Alternatives to SSL VPN web mode

Description

 

This article describes how most web pages are dynamic. For example, javascript is used to construct dynamic URL links.
This makes it much more difficult to locate the URL in the returned page from HTTP(s) servers (sometimes it is simply impossible to do it properly).

The complexity of such URL rewrite is getting worse and it is becoming a recommendation to use alternatives as presented in this article.

 

All the alternatives presented in this article support Antivirus/Web Filter/DLP/IPS features, different from the SSL VPN web mode which has very limited support for those features.

Recommendation reminder: VPN or not it is always a good practice long passwords together with 2FA/MFA.

 

Scope

 

FortiGate v7.0, v7.2, v7.4. v7.6.

 

Solution
 
Those options are listed per the most recommended levels.
 
  1. Non-VPN remote access (ZTNA access proxy feature) or (FortiSASE).

ZTNA requires additional configuration with EMS, it is considered the most secure option.
 
Related documents for this alternative:

ZTNA: Zero Trust Network Access

FortiGateZTNA configuration examples

 
FortiSASE (Secure Access Service Edge) can include ZTNA as well:

Product page

Fortinet Docs on FortiSase

Best Practices | 4-D Resources

 

  1. Use IPsec remote access.
IPsec is very flexible and has multiple clients, this traffic can be offloaded to the NPU (Network Processor).
There are many implementation validates, refer to Remote access on the admin guide.
 
  1. ZTNA agentless web-based application access.

ZTNA web portal does not need any client-side install and will not execute client checks.

 

Related documents for this alternative:

FortiGate/FortiOS New Features - ZTNA agentless web-based application access

 

  1. Use SSL-VPN Tunnel mode.
With this method, the user installs a FortiClient to access the internal network and authenticate with his credentials.
It can be configured to use Full Tunnel or Split Tunnel modes.
 
Advantages:
  • It is flexible and easy to configure.
  • Additional features compared with alternatives.

 

Disadvantages:
  • It is not NPU offloaded.
  • Less performance overall compared with all alternatives mentioned in this article.
  • Might not be available on Low-end models.
 
Related documents for this alternative:

SSL VPN tunnel mode

Technical Tip: SSL VPN support on FortiGate desktop

Technical Tip: How to configure SSL-VPN split tunnel mode

Technical Tip: Split DNS support for SSL VPN

Technical Tip: How to disable SSL-VPN Web Mode or Tunnel Mode in SSL-VPN portal

 
  1. A VIP, PAT, or 'Virtual Server' together with 'firewall policy authentication'.
This is very useful for those who already have an authentication process in place.
With this method, the user does not need to install anything on the client side.
The server would be exposed but with authentication (VPN or not it is always a good practice for long passwords together with 2FA/MFA).
 
Related documents for this alternative:

Firewall AuthFortiGate administration guide

Technical Tip: How to configure SAML authentication for firewall policy with Virtual IP (VIP)

 

'Virtual Server' + authentication | Recommend using HTTPS instead of HTTP: Technical Tip: Web Server authentication from external network on VIP policy

7594
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.