Ive been lurking the sub for a few days. Our org is looking to transitioned to a new firewall vendor, and Forti seems to be the one we’re going for.
I’ve seen a ton of complaints about FortiClient. We’re currently using SonicWALL, it can’t be worse than NetExtender, right?
The reason I ask is we have a lot of remote developers, who do some intensive things over the network, like SQL queries for example, and something like this will cause them constant disconnects, and then I get fingers pointed at myself or our department. So one of the main focuses we have is supporting our remote workforce, and reduce their disconnecting issues.
I have over 100 employees working on it. Does it has it’s issues, yes, but 99.999 of the time works well. Most of the issues we’ve seen, is it locks up (happens when you keep typing your password wrong), it says that is connected when is not (usually happens with unstable internet connections) and not changing back the DNS configuration of the interfaces (usually happens when the VPN is abruptly disconnected).
Yea it needs at least another 2 years of testing /development. Concepts are good, but there are way too many times where we get random problems, and it turns out to be EMS. Most recently, it was a memory leak that would turn random servers off at random times. We ended up having to manually stop the client and then uninstall, leaving us to use Microsoft defender for AV. If you just need it for VPN client updates, it’s OK, but I would not recommend putting all of your AV/Vulnerability eggs in the ems basket. Just too unstable. I have 500 pc/servers, 100 vpn users. Been on every version from 7.0.6 to 7.2.5, we have had random issues with all.
YMMV with the free version, Deploying with EMS is the way to go, and ties back into your MDM… Be sure to deploy DTLS , which will help with latency and speed for your power users, aka remote developers.
The biggest issue I have with FortiClient is upgrading it. It seems to break telemetry 50% of the time and the user has to paste the invitation code back in. I’ve tried Intune deployment and deployment through EMS. This is over 8 or so version upgrades of the client.
Other than that, ZTNA is amazing and I look forward to fully utilizing it once EMS is deployed as a Linux appliance since the Windows version of Apache is confined to two cores.
We’re using EMS cloud…idk seems pretty good especially compared to anyconnect or the windows vpn client. We’re licensed at ~700 clients. Maybe we’re not doing enough fancy stuff but has worked really well and easy to manage.
SSL VPN with FC is sh*t, it’s super prone to packet loss / high latency connections. Takes ages to connect or just straight up fails connecting without any errors. Can’t really use SSO with Azure as an IDP either, since they change the way of storing your cookies for the embedded MS login window in the newer versions. So you have to re-enter your credentials every damn time.
Had it working with IPsec as well before - if you enter the wrong password it would just freeze. GUI is unresponsive and it’s overall really unrealiable. Worst VPN client I’ve seen so far. Had been working with PaloAlto GlobalProtect before, it never had any issues. Even the SSL-VPN from Watchguard worked better than this lol.
If remote work is a huge deal for you and you need to connect users to some very remote locations, get some Palos. For everything else, Fortigate is great.
If you’re planning on using Fortigate and are hosting your infrastructure on premises, make sure your ISP backbone is top notch. As said before - FortiClient doesn’t like bad Internet connections. I’d even argue that having a Fortigate in a datacenter with a good connection for Dialup-VPN and then a S2S tunnel to your premises would work better than having FortiClient directly connect to your premises. ;D
Plus, having a FC in a datacenter usually means that connections from employees use larger ISP backbones which are usually more reliable. Having everyone connect to a residental / somewhat business fibre connection in your office will more likely lead to errors and long dialup times. It’s not really about packet loss but latency and jitter.
We have about 75 devices on it. It can take time to wrap your head around some of it’s configuration concepts. It’s the Swiss Army knife of endpoint software: Antivirus/malware, VPN, Web filtering, vulnerability scanning, application control…
For the most part, it’s been reliable. We had onsite penetration testing done by a well-known agency, and between the FortiGate and FortiClient, it blocked all of their attempts. Of course, we also don’t have a flat network. We follow best practices on network segmentation, and the application of appropriate baseline security templates/profiles.
I really think they should just merge their FortiEDR product into FortiClient for an all-in-one solution.
1400 clients with Cloud EMS and no significant complaints beyond MacOS client (though these are mostly Mac issues and not Windows.) I would recommend some professional services assistance configuring and setting up with your FortiGates. Make sure to account for the client connection load to the FortiGates as well— it can absolutely bury a 100 series or similar.
Use the EMS cloud to manage it. We used a certificate based AOVPN using it and worked great. Biggest tip I can give is test before deploying to the masses. Also, read the release notes to understand how an upgrade might impact your users.
FortiClient free VPN only is OKish. It works. Absolute PITA to upgrade though requiring hacky solutions. Not sure pairing with EMS is a real solution here. Might look further one day. We our lucky we only have a very small subset of our staff that actually need VPN.
Kind of falls in the ‘good enough’ space. Would be great if it was better, but it is good enough that other priorities need our attention more.
Using Forticlient with EMS for more than 5 years and sometimes there are annoying bugs (e.g. not removing internal DNS from VPN when computer goes to sleep without disconnecting first) but never had really major issues.
There is still good room for improvement but i’ve seen worse (e.g. the ZyWall client :D) - from connection stability there were never big issues - most of them came from bad user connections / wifi at home.
If you speak of connection sensitive software, ever had SAP running on most of your clients?
I use FortiClient (with FortiEMS). A lot of the FortiClient versions are buggy, so you are constantly chasing one that works.
If you find one, stick with it for as long as you can.
Our main issue is the massive number of high and critical vulnerabilities due to enabling SSLVPN on the FortiGates. So look to configure IPSec VPN if you can, so you are not constantly updating your Fortigates every month or so due to new SSLVPN vulns.
FortiEMS cloud user with 400 Forticlient 7.2.5 endpoints. The biggest complaint is upgrades and that auto reboot and we are yet to find a way to make them manual.
Apparently forticlient 7.4 is better for this but that’s not yet supported for cloud EMS.
Also testing IPsec with EAP/Duo and it’s not working on FortiClient 7.2.5 but works with 7.4.0
We have the free version deployed to about 100 endpoints for vpn connectivity. No real issues to speak of. I can’t comment on the ztna features since we don’t use them yet.
