https://www.sikich.com

Fortinet Removes SSL VPN from Lower-End Firewalls: What You Need to Know

Chad Brown

Sep 30 2025

3 min read

In a major shift that has caught the attention of IT administrators worldwide, Fortinet has begun removing its SSL VPN functionality from lower-end FortiGate firewalls. This change, first introduced with FortiOS 7.6.0, represents a significant change in how organizations using FortiGate appliances will provide secure remote access to their networks.

The Beginning of the Phase-Out

The initial removal started in FortiOS 7.6.0, where SSL VPN support was discontinued on FortiGate models with 2 GB of RAM or less. That included devices such as the FG-40F, FG-60F, FG-61F, and similar FortiWiFi and rugged models. On these devices, both SSL VPN web mode and tunnel mode were taken out entirely, with no option to configure them via the GUI or CLI.

Expansion to More Models

The move didn’t stop there. In FortiOS 7.6.1, Fortinet broadened the removal, eliminating SSL VPN from a wide range of desktop and rugged FortiGate models. This included not only the 40F and 60 series, but also the 80E, 90E, and 91E families, along with their WiFi and rugged variants. For administrators who relied on SSL VPN for remote worker access, this expansion forced immediate consideration of alternatives.

Complete Removal of Tunnel Mode

By the time FortiOS 7.6.3 was released, Fortinet made the most definitive change yet—SSL VPN tunnel mode was completely removed. Any previous configurations were not preserved during upgrades, meaning that even existing deployments of SSL VPN would stop functioning. The web-based mode, sometimes used for quick agentless connections, was also discontinued on certain models, including the 40F, 60F, and 90G series.

Why Fortinet Made the Change

The reasons behind this shift are fairly clear. First and foremost, SSL VPN has historically been a prime target for attackers. Over the past several years, vulnerabilities in SSL VPN have been widely exploited, and Fortinet devices have been frequent targets. Removing the feature reduces the attack surface, especially on lower-powered devices where patching and processing overhead is more challenging.

Additionally, SSL VPN is resource-intensive. On devices with limited hardware, it could degrade performance and reliability. By steering users toward IPsec VPN, Fortinet is aligning with industry standards and offering a solution that is both more secure and more efficient. IPsec is less prone to the types of web-exploitable flaws that plagued SSL VPN, and it offers stronger performance on constrained hardware.

What This Means for Organizations

If you rely on SSL VPN today, it’s time to take action. Fortinet is making it clear that IPsec VPN is the future for remote access on FortiGate appliances. Organizations should begin migrating configurations to IPsec now, testing connectivity thoroughly, and updating end-user documentation and training.

In the longer term, Fortinet is also promoting newer technologies such as Zero Trust Network Access (ZTNA) and FortiSASE, which may eventually replace traditional VPNs altogether. For now, however, the immediate step is to retire SSL VPN and transition to supported alternatives.

This change may be disruptive in the short run, but it ultimately reflects Fortinet’s efforts to improve security, standardize remote access, and reduce vulnerabilities. Administrators who adapt early will be better prepared for a secure, stable future in remote connectivity. If your IT team needs any assistance, please reach out to our own experts at any time.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author

Chad Brown

Chad Brown is a Senior Network Consultant at Sikich, assisting client in achieving their business objectives through technology and trusted advice. He holds a Bachelor’s of Science in Information Technology from University of Phoenix, as well as several industry certifications. His primary area of focus revolves around server infrastructure and Microsoft’s Cloud services.