FortiGate: Why Series? Discovering Different VPN's (SSL, IPSEC & ZNTA) 

Thanks! You’re not wrong it’s all about what methods you use to further secure. Including 1. Put the ssl vpn interface on a loopback then you can use security policy’s. 2. Place the ssl vpn in its own vdom. 3. Where possible use geo-ips in policy or block the known baddies! Other vendors have horrific vulnerabilities also it’s just the game we are in! Some of the recent vulnerabilities have been bad yes but often only impacting devices with poor configuration for example who sends devices out without local in policy’s configured!

Also if you have FortiClient/EMS then you can restrict SSL VPN to only accept connections from "known" registered serial numbers on your EMS. Its another great way of adding further protection - community.fortinet.com/t5/FortiGate/Technical-Tip-Restrict-SSL-VPN-and-Dial-up-IPsec-to-only-devices/ta-p/214456

Glad it was helpful! Let me know if there is anything else you’d like to see.

​@@FortiBytes can you make a video about policy-based vs profile-based firewall regarding how firewall policies / traffic are proceed in these modes?

Yes I can do! You don’t see profile based very often in production unless administrators have come from Palo.

@@FortiBytes thank you so much mate!

You’re very welcome. Video soon!