Looking to switch from perimeter81. We’ve had it for almost a year now and I just seem to dislike it more and more. We constantly have connection issues at our company and having to toggle things on and off in order for people to connect or most times even turn it off and turn it back on. I’ve never had so many issues with a VPN.
My last company used Global Protect from Palo Alto but that was on prem and my current company is Hybrid, mostly SaaS.
Any recommendations?
If you’re referring to vpn against the FortiGate firewall, then use Fortinet’s own client FortiClient. Otherwise their sase product as mentioned by others.
Tailscale is solid for us.
I’m so happy that I don’t have deal with VPNs anymore 
But just keep your firewall up to date, they all have issues
I’m in a similar boat right now but on premise. I would love to go Fortinet for the integration and visibility but damn the bad vulnerabilities lately. I’m mainly looking at a pa440 just for VPN behind the Fortigate.
Perimeter81 is a SASE product, so you’ll want to go that route:
Very interested in this too. I’m pretty much in the same boat. SSLVPN is awful with constant disconnects.
Prisma Access (Palo Alto) , if you have 200 or more users. The most comprehensive SSE on the market right now. There are other decent ones but few can handle networking fully transparently litke there’s nothing there. It requires a bit of planning though.
Also you won’t need the fortunes after that, except probably for local segmentation.
For mostly SaaS you mostly need something with strong CASB. Netscape I think is good for that, though they are a point product and may not remain on the market independently for too long. Like Perimeter 81 is now checkpoint.
We are very happy with openvpn on a VM in the DMZ.
I can give insight into FortiSASE
Beware the 2mb speeds, check the data sheet
If your users are using lots of applications, it gets pretty slow.
Split tunnel is hit or miss, Example being our zoom was bust but MS teams seemed fine
Good for low maintenance end users
Sandbox has slow downs, sometimes up to the time out limit
If you use on Mac there are missing features
minimum purchase of 50 licenses
I think in like 1-2 years the product will be great but at the moment it has a lot of missing stuff, or wtf moments, after opening close to 20 tickets with TACs we decided to just get the EMS cloud since its cheaper and the bonus of the SASE isnt that needed. Using just the Forticlient VPN connection to our firewall with no other packages has been pretty solid.
We are a Fortinet shop, but have been using ZScaler ZPA (zero private access) for 2+ years and have zero issues. Speed is great and no disconnects as it reverse proxy based. No direct IP connectivity to the datacenter network is a great security feature. We couple it with the ZIA module for the secure web gateway for all remote users. One client for secure web browsing and private access to on-premise datacenter. Outside of cost, I wouldn’t use another product. Previously was a Cisco AnyConnect shop but changed all of our gear to Fortinet for many reasons.
Why not ipsec? We’ve been using the forticlient with ipsec VPN and it has been great. No major vulnerabilities that I’ve seen recently.
Every vendor has similar vulnerabilities front time to time, including Palo Alto, so avoiding one brand altogether just because of a vulnerability (that they’ve already patched, mind you), makes little sense when you’ll have vulnerabilities with whichever other brand you choose instead.
We dug out an old ASA 5506-X to proof-of-concept AnyConnect
The Axis Security SSE product they acquired is pretty freaking neat, and dead easy to set up.
Constant disconnects are a common complaint with FortiClient, it was when I was at an MSP and it is now at my current place. Never mind that FortiClient can’t do DNS right
We are proof-of-concepting AnyConnect with an old ASA 5506-X for the data point that FortiClient is the problem.
And I was able to integrate MFA using Duo and a Radius server.
100%, I’m pushing a VDI environment & thin clients for WFH people
Switching from one UTM firewall brand to another is just blindfolding yourself to the problem; 99.9% of the problem for all vendors is the control plane HTTPS interface that the clients talk to for authentication, and not the data plane that is used for tunneled traffic.
IMO everyone needs to re-write the control plane part in a programming language that enforces memory safety - (in alphabetical order) Go, Rust, etc.
just switched from anyconnect to the cisco secure client this weekend and integrated umbrella at the same time, which the client also does
Constant? I’ve got 50 or so deployed— the disconnects are mitigated with the auto-reconnect enable feature and changing the keepalives a little. The disconnects were driven as a security tightning element… no keepalives for 30 seconds? Drop… change from wifi to wired etc… drop… all this can be solved… just need to use the newer features.