|
In v7.6.3 and later, SSL VPN tunnel mode is deprecated for all FortiGate models, and models with SSL VPN web mode available have it renamed to 'Agentless VPN'.
After upgrading from earlier firmware versions, the tunnel mode configuration is not retained, and SSL VPN tunnel mode will not function. See FortiOS v7.6.3 Release Notes.
FortiClient uses tunnel mode to connect to the SSL VPN. If FortiClient SSL VPN is in use, it is strongly recommended to migrate to another remote access method, such as IPsec VPN, before upgrading in order to maintain remote access. See the document: SSL VPN to IPsec VPN Migration.
Additionally, SSL VPN tunnel mode and web mode support are dependent on the hardware platform.
G series SSL VPN support:
FortiGate 120G/121G and higher G series models have similar SSL VPN feature support to earlier hardware families. In v7.6.3 and later, SSL VPN tunnel mode is not available, but web mode is available as 'Agentless VPN'.
FortiGate 90G/91G and lower G series models do not support the SSL VPN feature. In some earlier firmware versions, it is possible to configure SSL VPN, but the feature is removed in later firmware versions. For the 30G/50G series FortiGates, the SSL VPN feature was never supported since launch.
For example, it is possible to configure SSL VPN in 90G/91G running firmware v7.2.11 and v7.4.7, but it is not available in later firmware versions such as v7.2.12, v7.4.8, and v7.6.1. This is an expected change, see issue ID 1026775 in the v7.4.8 Release Notes.
If SSL VPN is currently deployed on a 90G/91G or lower G series device, it is recommended to do an SSL VPN to IPsec VPN Migration if VPN clients are in use, and migrate to ZTNA access proxy: ZTNA agentless web-based application access v7.6.1 if browser clients are in use.
The following F series models have no SSL VPN support in v7.6.0 and later:
- FortiGate-40F.
- FortiWiFi-40F.
- FortiGate-40F-3G4G.
- FortiWiFi-40F-3G4G.
- FortiGate-60F/61F.
- FortiWiFi-60F/61F.
- FortiGateRugged-60F.
- FortiGateRugged-60F-3G4G.
The above models have SSL VPN available in v7.4 and earlier firmware. When upgrading to v7.6 and later, a warning shows, and SSL VPN is removed after the upgrade.
Future v7.2 and v7.4 releases are not expected to remove SSL VPN for F series models.
The following F series models do support SSL VPN in v7.6.2 and earlier firmware:
- FortiGate-70F/71F.
- FortiGate Rugged-70F and all variants (3G4G).
- FortiGate-80F/81F and all variants (DSL, POE, Bypass, etc.).
- FortiWiFi-80F/81F-2R and all variants (3G4G, POE, DSL, etc.).
- All other F series models 100F and higher.
Like all other FortiGate models, these models do not support SSL VPN tunnel mode in v7.6.3 and later.
Verifying if SSL VPN is configurable:
To verify if SSL VPN is available on an existing device's current firmware, check the configuration file for the 'config vpn ssl settings' section, or log in as super_admin and check manually. If SSL VPN is not available, the following show command will fail. Starting v7.6.3, the SSL VPN tunnel mode is no longer supported, and SSL VPN web mode will be called 'Agentless VPN'.
FortiGate-91G # show vpn ssl settings
command parse error before 'settings' <-- tunnel and web mode are not available
Command fail. Return code -61
FortiGate-91G #
FG3H0E-1 # show vpn ssl client
command parse error before 'client' <-- tunnel mode is not available
Command fail. Return code -61
FG3H0E-1 #
For FortiGate-VM, the 2GB RAM limitation does not affect the availability of SSL VPN web mode.
If the configuration section does exist but the SSL VPN does not show in the GUI, verify if it has been made visible in the GUI by following the steps outlined in Update SSL VPN default behavior and visibility in the GUI
Related documents:
Troubleshooting Tip: Unable to see SSL VPN and IPsec options under VPN settings
SSL VPN removed from 2GB RAM models for tunnel and web mode
Agentless VPN (formerly SSL VPN web mode) not supported on FortiGate 40F, 60F, and 90G series models
Technical Tip: FortiGate SSL VPN best practices guide
|
