Fortinet has been telegraphing the end of SSL VPN tunnel mode for over a year. Warning banners on the GUI from FortiOS 7.4.1. SSL VPN gone from 2GB RAM models (FG-40F, FG-60F, FG-61F) in 7.6.0. The G-series 50G, 70G and 90G in 7.4.8. In-product warnings throughout 7.6.0, 7.6.1 and 7.6.2 telling you it would be removed in 7.6.3. None of this was quiet.

What turns out to still trip people up is the kicker, sat in one short sentence in the 7.6.3 release notes: "Settings will not be upgraded from previous versions." If you upgrade a FortiGate from 7.6.2 to 7.6.3 without migrating first, every SSL VPN user loses remote access at the moment the firewall reboots. The tunnel-mode config does not transition. There is no compatibility shim. It is just absent.

This post is the pre-upgrade checklist for the estates that haven't actioned the warnings yet. What changed, the deprecation timeline that got us here, your three migration options, and the bits the migration guide does not put in bold.

FORTIOS 7.6.2 SSL VPN tunnel config User groups, IP pools Firewall policies UPGRADE no migration shim FORTIOS 7.6.3 gone from GUI and CLI settings not upgraded policy refs orphaned

WHAT ACTUALLY CHANGED IN FORTIOS 7.6.3

The wording in the 7.6.3 release notes is unambiguous. "Starting in FortiOS 7.6.3, the SSL VPN tunnel mode feature is replaced with IPsec VPN, which can be configured to use TCP port 443. SSL VPN tunnel mode is no longer available in the GUI and CLI. Settings will not be upgraded from previous versions." It applies to all FortiGate models.

Two things this does not affect:

  • SSL VPN web mode is renamed, not removed. What used to be SSL VPN web portal is now called Agentless VPN. The clientless browser-based access still works on the models that support it. If your remote workers connect via a web portal rather than FortiClient, you have less migration to do, but the rename means your documentation and runbooks need updating.
  • Site-to-site IPsec is unchanged. Hub-spoke, dial-up server, route-based, policy-based, none of this is affected. The 7.6.3 change is specifically about replacing the proprietary SSL VPN tunnel client with standards-based IPsec for remote user access.
SSL VPN TUNNEL MODE (PRE-7.6.3) IPSEC DIAL-UP (7.6.3 AND LATER) FortiClient remote user FortiGate SSL VPN portal TLS / TCP 443 proprietary tunnel CONFIG LOCATION VPN portal: routing, IP pool VPN portal: split tunnel toggle VPN portal: DNS suffix VPN portal: auth user group SSL VPN settings: cert, port FortiClient 7.4.1 or later FortiGate IPsec dial-up UDP 500 / 4500 or TCP 443 CONFIG LOCATION phase 1: auth, IdP, mode-config phase 2: split tunnel selectors phase 1 mode-config: split DNS phase 1: user group binding phase 1: IKEv2, cert / PSK

THE DEPRECATION TIMELINE

If this is the first time you have heard about it, the upgrade is going to feel sudden. It is not. The runway has been long and well-signposted. Knowing where each warning sat helps you reconcile what your firewalls have been telling you against what is now happening:

  • FortiOS 7.4.1 (2023): Fortinet added warning messages to the SSL VPN Settings page in the GUI, displayed under SSL-VPN status and Authentication/Portal Mapping when either tunnel or web mode was enabled. The intent was clear, the messaging was loud.
  • FortiOS 7.4.4 (June 2024): Fortinet published the formal SSL VPN to IPsec VPN migration guide and made the conversion flow available through the existing IPsec Wizard. This is when the migration became something engineers could action via a documented path rather than improvising from CLI fragments.
  • FortiOS 7.4.8: SSL VPN removed from G-series entry-level models (FG-50G, FG-70G, FG-90G). If you bought a 70G recently and noticed it never had an SSL VPN settings page, that is why.
  • FortiOS 7.6.0: SSL VPN (tunnel and web mode both) removed from 2GB RAM models. This catches FG-40F, FG-60F, FG-61F, FWF-60F, FWF-61F and the FGR-60F variants. The 7.6.3 removal date for all other models was already published in the new-features documentation.
  • FortiOS 7.6.0, 7.6.1, 7.6.2: In-product warnings throughout the 7.6.x train told administrators that tunnel mode would be removed in 7.6.3.
  • FortiOS 7.6.3 (April 2025): SSL VPN tunnel mode removed from all FortiGate models. The warnings stopped being warnings.

The reason was not subtle either. Successive years of critical SSL VPN CVEs (CVE-2022-42475, CVE-2023-27997, CVE-2024-21762, CVE-2024-55591) all involved the SSL VPN daemon, several were exploited as zero-days, and CISA added more than one to the Known Exploited Vulnerabilities catalogue. Small branch FortiGates with SSL VPN enabled "just in case" by an integrator years ago, with a self-signed cert and a default port, were a security liability the vendor was no longer willing to underwrite. The fix was to remove the feature.

The estates that get caught are the ones running n-1 or n-2 firmware as policy. A site still on 7.4.5 will hit 7.6.3 in the next firmware bump and find the warnings did not apply to it because the warnings were in 7.4.1 and 7.6.x. If your refresh cycle skips minor versions, the deprecation runway compresses to zero.

THREE WAYS TO MIGRATE SSL VPN TO IPSEC

Fortinet documents three ways to convert an SSL VPN tunnel-mode config to IPsec dial-up. Each is appropriate for a different size of estate.

The IPsec Wizard (built-in GUI). Available with documented SSL VPN to IPsec migration steps from FortiOS 7.4.4 onwards (VPN > IPsec Wizard). You run it on the FortiGate before upgrading to 7.6.3. It reads the existing SSL VPN config (portals, user groups, IP pools, routing) and writes equivalent IPsec dial-up phase 1 and phase 2 entries alongside the SSL VPN config, so both run in parallel. This is the right tool for a single-firewall estate or a handful of independently managed sites. You can verify the IPsec config works before disabling SSL VPN.

One trap to be aware of: the IPsec Wizard creates IKEv1 in aggressive mode by default. That works for legacy clients but does not support TCP transport. If you need IPsec on TCP 443 (the closest behavioural analogue to SSL VPN), you must change the resulting tunnel to IKEv2 by hand after the wizard runs. Skipping this and assuming the wizard output drops in unchanged is a common cause of "the wizard finished but TCP 443 connections fail" tickets.

CLI conversion. Manual, line by line. Worthwhile if you have unusual auth flows, custom policy structures, or you simply prefer to know what every line is doing. Slower but produces a cleaner config than the wizard, which tends to leave artefacts (unused address objects, references back to the original portal name) that are tedious to clean up afterwards.

FortiConverter. The right tool if you have ten or more firewalls to migrate, or if you are doing this for several customers as an MSP. FortiConverter takes a source config, runs the SSL-to-IPsec migration on it offline, and gives you a downloadable config to push. The summary page lets you edit IP pool mappings and phase1 names before export, which matters when you are batching the same cutover across an estate with shared naming conventions.

WHAT THE IPSEC EQUIVALENT LOOKS LIKE

The good news for engineers nervous about user disruption is that almost everything you set up in SSL VPN tunnel mode has a direct IPsec dial-up equivalent. The migration is not a redesign.

  • IP pools. SSL VPN IP pool ranges map onto the IPsec phase 2 selectors and the assigned client subnet. The wizard preserves the existing range so users get the same IPs they had before. If you have firewall policies pinned to that range, they keep working.
  • Split tunnelling. Configured differently. SSL VPN portals had a split-tunnelling toggle and a routing address list. IPsec dial-up uses the phase 2 selector to define what is routed over the tunnel. Same outcome, different config location. The wizard handles this. Manual converters need to know it.
  • Split DNS. Supported but configured under the IPsec phase 1 mode-config block, not the portal. Engineers used to setting DNS suffix at the portal level miss this and end users complain that internal hostnames stop resolving.
  • TCP port 443 transport. IPsec on TCP 443 is supported and is the closest analogue to SSL VPN's "tunnel over port 443" behaviour. It needs FortiOS 7.4.2 or later on the gateway and FortiClient 7.4.1 or later on the endpoint. Older FortiClient versions cannot use this transport. If your endpoint estate is on FortiClient 7.2.x, plan an endpoint upgrade as part of the cutover.

SAML AND SSO ARE THE PART THAT WILL CATCH YOU OUT

If your SSL VPN authenticates against SAML (Azure AD, Okta, Google Workspace), the migration is more involved than the wizard makes it look.

SAML is supported for IPsec dial-up, but only with IKEv2. FortiClient 7.2.4 or later is the minimum for SAML over IKEv2 dial-up using the embedded browser inside FortiClient. If your IdP setup needs the user to authenticate in a real system browser (Conditional Access policies that require device compliance often do), you need the external-browser flow. That has stricter version requirements: FortiOS 7.4.9 or 7.6.1 and later on the gateway, FortiClient 7.2.5 or 7.4.1 and later on Windows and macOS, FortiClient 7.4.3 and later on Linux.

The user experience is broadly similar to SSL VPN with SAML. A connect attempt prompts for IdP login, the user signs in, the tunnel comes up. What changes operationally is the EMS profile. The IPsec dial-up profile sits alongside the existing SSL VPN profile until you remove the SSL one, so end users see two VPN entries in FortiClient through the cutover period. Schedule the cleanup as a separate EMS push after you are confident IPsec is working everywhere.

If your SSL VPN currently uses SAML with FortiAuthenticator as an SP proxy or as the IdP, test the IPsec equivalent end to end before cutover. The flow is similar but not identical and the FortiAuthenticator-side config is enough different that copying the SSL VPN settings does not work.

RADIUS and LDAP migrations are more straightforward. Local user database, more straightforward still. The wizard handles user group bindings on the new IPsec phase 1, but you should still spot-check that group membership filters and RADIUS attribute mappings carried over before users start hitting it.

RUN BOTH IN PARALLEL BEFORE YOU CUT OVER

The single most useful thing you can do before upgrading to 7.6.3 is configure IPsec dial-up alongside the existing SSL VPN on the same firewall, while still on 7.6.0, 7.6.1 or 7.6.2.

Both can run at the same time. SSL VPN listens on its configured port, IPsec dial-up listens on 500/4500 (or TCP 443 if configured). FortiClient supports both connection types in the same profile. Roll the IPsec connection out to a pilot group of internal users, validate it against the same applications they use day-to-day, then expand to wider rollout. Once you are satisfied that everyone has a working IPsec connection, schedule the upgrade to 7.6.3 and accept that it will remove the now-redundant SSL VPN config on its own.

Doing it this way means your rollback path is FortiClient profile change, not a firmware downgrade. That matters when something obscure breaks at three in the afternoon on the day of cutover.

STEP 1 Build IPsec alongside SSL on 7.6.0–7.6.2 SSL: live · IPsec: built STEP 2 Pilot users on IPsec FortiClient profile SSL: live · IPsec: tested STEP 3 Roll out IPsec to all users EMS push SSL: idle · IPsec: live STEP 4 Upgrade to FortiOS 7.6.3 SSL config wiped IPsec: carries on Rollback at any point before step 4 is a FortiClient profile change, not a firmware downgrade.

POST-MIGRATION CHECKLIST

  • Confirm every user can authenticate. Especially anyone in a non-default group, or anyone who relied on a per-user override in the SSL VPN portal config. Per-user overrides do not always migrate cleanly.
  • Check internal DNS resolution. Connect a test client, confirm internal hostnames resolve over the tunnel. If they do not, the split-DNS settings did not migrate. Add them under the IPsec phase 1 mode-config.
  • Test split tunnelling. Confirm only the intended subnets route over the tunnel. A misconfigured phase 2 selector will either route everything over the tunnel (saturating your firewall uplink) or nothing (users cannot reach internal resources).
  • Verify firewall policies. Policies that referenced the SSL VPN interface need to be redirected to the new IPsec dial-up interface. The wizard creates the interface but does not always rewrite policy references. Check policy hit counts on day one to confirm traffic is matching the right rules.
  • Audit the FortiAnalyzer logging. SSL VPN events came under one event subtype. IPsec events come under another. Update any FortiAnalyzer reports, alert rules, or SIEM correlation searches that filtered on the old log fields.
  • Remove the redundant SSL VPN profile from FortiClient EMS. Once you are sure the IPsec connection is working, push a profile update that removes the old SSL VPN entry. Otherwise users have two icons and call the helpdesk asking which one to use.

FREQUENTLY ASKED QUESTIONS

What version of FortiOS removes SSL VPN tunnel mode? FortiOS 7.6.3 on all FortiGate models. Earlier on the smaller kit: 7.6.0 took it off 2GB-RAM models (FG-40F, FG-60F, FG-61F and the WiFi variants), and 7.4.8 took it off the G-series 50G, 70G and 90G.

Will my SSL VPN config upgrade automatically when I move to 7.6.3? No. The release notes are explicit: "Settings will not be upgraded from previous versions." The portals, user groups, IP pools and any firewall policy that referenced the SSL VPN interface are gone after upgrade. Migrate first, upgrade second.

Is SSL VPN web mode also removed? No. Web mode is renamed to Agentless VPN and continues to work on supported models. The 7.6.3 change is about tunnel mode specifically (the FortiClient connection type).

Can I run SSL VPN and IPsec dial-up at the same time on the same FortiGate? Yes, on 7.6.0, 7.6.1 and 7.6.2. They listen on different ports and FortiClient supports both connection profiles in parallel. This is the basis of the parallel-run cutover strategy. After upgrading to 7.6.3, only IPsec is available.

Does FortiClient 7.0 or 7.2 work with IPsec on TCP 443? No. TCP 443 transport for IPsec needs FortiOS 7.4.2 or later on the gateway and FortiClient 7.4.1 or later on the endpoint. Older FortiClient versions can use IPsec on UDP 500/4500 but not on TCP 443.

What happens to my SSL VPN bookmarks and web portal links? They are part of web mode (now Agentless VPN) and survive the upgrade. Only the tunnel-mode FortiClient connection is affected.

Is this related to the recent Fortinet SSL VPN CVEs? Yes, indirectly. SSL VPN has been the source of repeated critical CVEs, which is the underlying reason Fortinet moved its remote-access story to standards-based IPsec. Closing the attack surface was the driver.

THE BOTTOM LINE

If you are not yet on 7.6.3 and you use SSL VPN tunnel mode, treat this as a pre-upgrade gating item. Do not let a routine firmware upgrade take down your remote access on a Friday afternoon because nobody read the release notes.

The migration itself is not difficult. The IPsec dial-up equivalent of an SSL VPN tunnel-mode setup is well understood, the wizard handles most cases, and the user experience for end users is broadly the same once FortiClient is on a recent enough version. The risk is timing, not technology. Get the IPsec config built and tested in parallel, cut over deliberately, then do the firmware upgrade once SSL VPN has been retired by choice rather than by surprise.

If you want a second pair of eyes on a Fortinet estate that needs this work doing, or you are an MSP looking to batch the migration across a set of customer firewalls, get in touch. We do this for a living.