I don’t know enough about IT to explain why, but… this is weird, right? And probably a bad idea?
Fortinet firewalls are excellent and one of the leaders for not just security and performance but also usability. I run an engineering department at an MSP and we have dozens of FG’s deployed to SMB without issue. We setup SSL VPN for clients who require it, lock it down for US access only, to specific subnets/IPs internally, and use Office 365 for SSO where possible. We have only ever used the free FortiClient.
Why would it be weird?
No, not weird. They are upgrading the hardware (firewall) and the VPN clients have to match the firewall manufacturer.
The free version is not inferior or less safe, it just has fewer features compared to the paid version, most of which your company probably doesn’t need because they aren’t tying in the antivirus or application firewall piece of the Forticlient.
As long as your company machine also has an antivirus on it, there’s no issue (and if you didn’t have antivirus, forticlient free version still wouldn’t be the issue there).
When you say Forticlient are you referring to VPN? Or replacing and using Fortinet firewalls? I’ve used Fortinet before and felt it had a bit of a learning curve (I’m a WatchGuard fan) but I liked it - albeit it we had the paid security features.
Is there an MSP involved? A lot of MSPs love Fortinet/Fortigate, so that may have had an influence.
Sounds like they wanted to save some money
Free doesn’t necessarily mean worse, but it usually does mean harder to set up. I run our ZScaler tenant, and it’s awesome as long as you’re willing to fork over cash whenever you need more resources (more app segments for network segmentation, more forwarding policies to route to those different networks, etc).
If you’ve got alternate data centers, you can handle setting up tunnels, you can handle setting up SAML or OpenID authentication out on the Internet, and you can handle securing those web-facing brokers, you don’t need someone like ZScaler to do it for you. In our case, I know how to set the stuff up, but it would be a disaster getting someone trained on the fly if I had to step away without warning, so ZScaler it is, because it’s easier for the juniors on my team to wrap their heads around.
Shit, I’d send whomever did this a thank you letter and maybe a fruit basket.
That’s good to know! Wasn’t sure if it was a bad sign IT was cutting corners on something to save money (we’re a high-risk target for hackers, so I’m told.)
I don’t know, it’s free software.
Thank you for the (very) simple explanation for my dumb ass. I was really worried the company was trying to save money when it shouldn’t.
Probably only using the SSL VPN on the firewalls now
I wouldn’t even say that, if they are already in a contract for AV, then why pay for EMS licenses to only use the sslvpn that is functionally equivalent to the free version? Assuming they don’t need to connect prior to login or set other settings away from default, I think they are fine.
We deployed the free version while we waited for our sophos licenses to expire, at which point we moved to EMS licenses. I found where the profiles saved in the registry, pushed out the free version along with the reg edit to add our 2 data centers and everyone was happy.
You’re going to have a wild time when you realise linux is free and holding up the internet.
Citrix’s VPN software is quite expensive and has had a never ending string of major vulnerabilities, including one that’s seeing companies destroyed right now.
Wireguard is the gold standard for VPN software according to every cryptographer and most of its userspace is in a modern memory safe language unlike most commercial competitors, and it’s open source.
How and why are you working in IT?
In your case, only the end user VPN software is free, not the fortigate which runs the VPN
Don’t you have a Fortinet firewall?
It’s not equal to Zscaler
Protocol wise you are completely right, but most companies want a GUI for management and integration with user directories. I have not yet seen an ‘appliance type’ wireguard solution