Things to know before migrate from SSLVPN to IPSec for FortiGate

Since FortiOS  going to obsolete SSLVPN from 7.6 onward,

Information

1. Ditch away the idea user group, it unable support user grouping like SSL VPN did. 
2. FSSO is a must for user grouping except local database, but FSSO has some restriction 
3. FSSO deploy with DC agent mode for better performance
4. Please test with your own mobile data, example I connect my office wifi and the office WAN IP  is use to peer with DC via IPSec, when test this remote access I always matched with the office IPSec profile.
5. If you have multiple IPSec dailup profile,  it could be matched to other IPsec profile that contain same phase-1 variable, especially the NAT-T option. Example, your Remote Access profile name F, FortiGate will try match the proposed variable from top to bottom (Profile A-F), let say the proposed proposal profile match variable at Profile C, firewall will take the NAT-T value at Profile C and negotiated based on it, but your remote user Profile F is without NAT-T but FortiGate will keep communicate with NAT-T 4500, so configure the propose profile wisely else will keep troubleshoot here and there. 
6. Pray to god for mobile phone setup, going be a nightmare, wrong pre-sharekey key in by user, wrong proposal selected and more. 
7. Azure Group object wont work for BYOD.

*note
mobile phone - iOS 

ikev1

1. If you have mobile user unable set the phase 1 and phase 2, herewith the phase 1 proposed by mobile phone
   
2. Phase 2

ikev2

1. FortiGate Config

 

          Mobile Phone config

 

Local User Database

1. Grouping user only option is to configure multiple dailup profile with different peer id and different profile has different assigned ip to group the user.

LDAP information

1. Support ikev1, stick to ikev1 if you have mobile phone user.
2. I will say partially support ikev2 , you can amended the xml and restore the amended xml file on desktop but mobile phone setup there is no option to select EAP TLS, not sure it support ot not (EAP-TTLS support for IPsec VPN)

Radius

1. Didn't test lazy to setup, more or less the same

SAML  information

1. No object group id is allow, else will face EAP error issue (Technical Tip: Error 'EAP failure' with IPsec Dial-Up VPN using remote groups)
2. Object Group ID wont work for Azure
3. Even integrated with FSSO DC agent, it need user to lock and relogin to trigger the netlogon update quite troublesome.
4. Saly

Related document for SAML
Technical Tip: Configuring IPsec VPN client-to-site with Azure SAML authentication

BYOD

1. Bye, if a domain environment, netlogon details doesn't send to AD so FSSO wont work.

Other site information

Forti VM with FortiOS 7.4.8

diagnose debug application authd -1 when turn on this debug the SAML wont work till disable debug 

To conclude, migrating from SSL VPN to IPsec VPN is PAIN and takes time for users to adapt. There are many restrictions and challenges along the way. It feels like Fortinet is trying to push users toward SASE, but not everyone can afford it—especially SME business.

Update 17 July 2025,

FSSO

Due to AD behavior, FSSO also has some limitation on user identification, BYOD doesnt work and RDP with domain user,  example IPSEC success with limvuihan (IP 192.168.10.1) but I remote desktop with domain admin pbbadmin to another server  due to AD behavior, the logon event id will be update that pbbadmin IP address as your IPSEC IP which is 192.168.10.1. So all the defined rules based on your grouping wont work and unable access. Alternative is to ignore the pbbadmin user list  at collector agent.

Update 1st August 2025

So when there is user connect the FortiClient IPsec, cant change the Split Tunnel Parameter as shown here in use, is not flexible as SSL VPN Tunnel request user to reconnect the VPN to get the new route. 

Palo Alto Self Signed Certificated ERR_SSL_KEY_USAGE_INCOMPATIBLE

 if you found my page seem that Palo Alto KB doesnt help, dont keep regenerate self signed it doesnt help herewith the steps

For Windows user

Setup Open SSL 

1. download and install open ssl from Shining Light Production (please donate if it helps)

Then Generate CSR Palo Alto KB

1. Complete the Generate the CSR steps

Back to your laptop/pc start to signed the certificate

1. Open CMD with administrator go to the openssl folder example C:\Program Files\OpenSSL-Win64\bin

2.  Type in command -

openssl.exe genrsa -out rootCA.key 2048

3. Type in command -
openssl.exe req -x509 -new -nodes -key rootCA.key -sha256 -days 3650 -out rootCA.crt -subj "/C=MY/ST=State/L=City/O=Org/OU=Dept/CN=RootCA"

4. Create an Extensions File. example on the C:\Program Files\OpenSSL-Win64\bin, create a text file name v3_req.txt content as below

[ v3_req ]
keyUsage = critical, digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth

save it

5. Download the CSR from Palo Alto and save it to directory openssl bin directory, example C:\Program Files\OpenSSL-Win64\bin

6. type in command just to replace the server.csr to the downloaded CSR name  
openssl.exe x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile v3_req.txt

7. Upload the signed certificate to Palo Alto, make sure the certificated name must exactly same as the generated CSR file name.

Able to solve the issue

Ping Test Tool

Although there're lots of free ping test tool, I develop my own version ping test tool that suit my troubleshooting purpose. Feel free to download it and feedback to me.

My own version ping test tool with time log on each ping result, this time logging can be disable too. 

herewith the tools

ping test tools

Let start NSE8 !

Let start NSE 8 journey, wondering able to achieve within a year or might not or drag another decade XD.

After going through CCIE - Sec exam roughly understand how the exam going to look like.

Hope my company sponsoring me for this exam as I moved away from Network Security into cloud Security. ahemm FortiSaSe also cloud sec what.

I'm still struggling should release alpha version of Cisco Lina/ASA firewall policy convert tool develop by using company resource (laptop) to public. 

Cisco FTD route-map metric

 If you tried search the information even with chatgpt still cant locate the information. Yup, Cisco FTD replace the metric value with bandwidth:

Cli output

Palo Alto Power Cycle or power outage cause HA down

After done power cycle or power outage for PA 5220 (Active / Active or Active / Passive), once it boot up but the data plane failed

with error dataplane down : path monitor failure or Policy push to dataplane failed

Just physical power cycle it 2 ~ 3 times  

herewith  KB

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCcXCAW 

Palo Alto Failed to find begining of certificate. Make sure certificate starts with BEGIN CERTIFICATE tag.

Don't hesitate just use another browser, problem resolved

Environment
1. PANOS 10.2
2. Panorama
3. Firefox
4. Trying to upload certificate
5. Panicking when migration
6.Engineer ego suspect bug issue

Is a sad TAC case and wasted my company case token is due to silly browser issue.

Yes, you cant find any solution on public KB about this error, according to TAC is from their internal KB. 

And, I tried to reproduce next day but miracle happen it success upload.

So conclude, just switch to another browser or using ultimate weapon RESTART YOUR PC.

Update 05 April 2023

TAC feedback