Dear AEK,
I would like to understand further, is this an issue based on the SSL VPN protocol or a FortiGate level issue? I see that FortiGate's competitors don't seem to be taking such actions? If you know anything, please share with me, thank you.

Regards,

Bruce Liu

SSL-VPN is not a standard protocol, it's rather more of a concept for doing a VPN, by utilizing TLS for tunneling, and optionally pretending to be HTTPS traffic or actually using some HTTPS in the implementation. However, everyone's implementation is different and custom. That is why FortiOS SSL-VPN can only be used by FortiClient, and no other client software (unless it was explicitly coded to be compatible with FortiOS, such as the open-source openfortivpn).

TLS and HTTPS are obviously doing well and nobody is planning to decommision those, so SSL-VPN as a concept is perfectly fine as well.

It is just turning out recently that many SSL-VPN implementations have lots and lots of issues...

Dear Pminarik,

I agree, the main concern would be that in the current common architecture, the FortiGate SSL VPN combined with the FortiClient and FortiToken MFA mechanism is still relatively secure, especially since it also supports the FIDO FortiToken. So I can infer that Fortinet is unlikely to discontinue the SSL VPN function of FortiGate in the near future, as if this were to happen, many enterprises would be greatly inconvenienced.

Regards,

Bruce Liu

Good authentication setup is certainly the core of good VPN deployment, but we should also be mindful of pre-authentication vulnerabilities, where no amount of authentication will help, such as https://www.fortiguard.com/psirt/FG-IR-23-097 .

I agree. Does the meaning of the weaknesses you mentioned mean that not all weaknesses can be solved through software updates? Based on my understanding, unless the user is unwilling to update the software version or the system has already reached the end of service, Fortinet will still try to patch those known vulnerabilities as much as possible, right?

Regards,

Bruce Liu

Dear pminarik,

So, if FortiGate supports IPSec endpoint tunnels, does this mean that third-party software can also support it? However, if it is built on an SSL VPN tunnel, it will only allow FortiClient to establish a connection tunnel.

Regards,

Bruce Liu

> Does the meaning of the weaknesses you mentioned mean that not all weaknesses can be solved through software updates?

So far everything has been patchable, and has been patched. Perhaps it is a failure of my imagination, but I cannot really imagine an issue that would be non-patchable, apart from maybe some catastrophic issue in the TLS protocol itself, but that would be an issue affecting the whole internet, not just SSL-VPN. :)

> So, if FortiGate supports IPSec endpoint tunnels, does this mean that third-party software can also support it? However, if it is built on an SSL VPN tunnel, it will only allow FortiClient to establish a connection tunnel.

FortiGate's IPsec implementation, at its core, is standards compliant and generally interoperable with third-party implementations, as far as I know.

From personal experience, I've used the native Windows client (IKEv2), and the Android version of Strongswan, to connect as dialup clients to FortiGate.

Our customers also regularly establish site-to-site tunnels with other vendor's firewalls/VPN devices.

For SSL-VPN: Correct. Ony FortiClient is expected to work officially. Nothing else is supported, but may in theory work if the author of such software actively worked towards compatibility with FortiOS's SSL-VPN.

@BruceLiu:

Of all the responses, @Webspacekit hit the nail on the head, IMO. Fundamentally, supporting SSL-VPN and proxy related features is becoming a resource problem for the lowest end desktop models limited to 2GB of RAM. For those of you who have had a firewall go into conserve mode you know what I am referring to.

The company I work for is an Advanced Fortinet partner and in speaking with our Channel Sales Engineer, what I was told is Fortinet is looking to separate the SSL-VPN and proxy engine so that it can be updated outside of FortiOS--similar to how AV and IPS engine receive definition updates. Given the number of zero-day vulnerabilities impacting these features, this makes sense so FTNT can push updates quickly without requiring a FortiOS update.

For those of you with remote access users using SSL-VPN on 2GB models, you can either trade-up to a model that has 4GB or more of RAM (70F or higher) or you will want to begin testing IPSec tunnels for remote access VPN, which will still be supported on these 2GB models.

Thanks,

Michael C (FCP)