Fortinet SSL VPN customers need to be aware - Gradually transition to ZTNA while maintaining operational stability

Background on SSL VPN Deprecation in FortiOS 7.6.3

Fortinet has been advancing its Zero Trust Architecture (ZTA) strategy since 2022, introducing key Zero Trust Network Access (ZTNA) features in FortiOS 7.0. Recent versions like 7.6.3 may further prioritize ZTNA over SSL VPN. Fortinet has experienced numerous critical vulnerabilities in its SSL VPN functionality, most notably CVE-2024-21762, which allows unauthenticated remote code execution. These vulnerabilities, including older ones like CVE-2022-42475 and CVE-2023-27997, have been exploited by threat actors, leading to device compromise.

In FortiOS 7.6.3, Fortinet has deprecated and removed SSL VPN tunnel mode on all FortiGate models. This means that SSL VPN tunnel mode is no longer supported in the GUI or CLI, and existing SSL VPN configurations will not be upgraded. Users must migrate to IPsec VPN to maintain secure remote connectivity or change to use ZTNA.

If you decided to stay at FortiOS 7.4.x, it will reach end of support (EOS) on 11 May 2026. In the meantime, if you are E-series Fortigate users, you may also plan for replace your hardware to G-series when you plan for your FortiOS 7.6 journey with ZTNA.

Strategic Need to Migrate to Zero Trust (ZTNA)

Fortinet's Zero Trust Direction

• FortiOS 7.0+ integrates ZTNA with FortiClient agents, FortiAuthenticator, and FortiOS application gateways for granular access control.
• ZTNA aligns with hybrid cloud and SaaS environments, reducing attack surfaces compared to SSL VPN's "trusted perimeter" (Trust, but verify) model.

Technical Rationale for Transition

• Enhanced Security : ZTNA enforces "never trust, always verify," mitigating lateral movement risks from compromised endpoints or outdated SSL configurations.
• Performance Gains : ZTNA leverages SASE architecture, enabling low-latency, distributed access without complex tunnel management.

Options:

Short Term:

1. Stay on 7.4.x (Please make sure you have hardening your SSL VPN) (Reference: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Hardening-FortiGate-SSL-VPN-Best-Practices-for/ta-p/349193 and https://www.andrewtravis.com/blog/2024/09/30/fortigate-ssl-vpn-hardening)
   
   
2. Switch to IPSec VPN if go for 7.6

Long Term:

1. ZTNA
2. Stay on IPSec VPN (There may hit operational issue since some public Internet may block IPSec)

Reference:

https://www.mirazon.com/read-this-before-upgrading-to-fortios-7-6/

https://community.fortinet.com/t5/Customer-Service/Technical-Tip-Product-Life-Cycle-Information-on-Fortinet/ta-p/194438

For v7.6 until v7.6.2, models with 2GB or less RAM, SSL VPN web and tunnel mode are removed from the GUI and CLI. See SSL VPN to dial-up VPN migration - FortiGate 7.4.6 administration guide.

For v7.6.3 and later, tunnel mode will be removed, and web mode only works for other devices, see Migration from SSL VPN tunnel mode to IPsec VPN 7.6.3 - FortiGate 7.6.0 new features.

Fortinet SSL VPN customers need to be aware - Gradually transition to ZTNA while maintaining operational stability