Fortigate New VPN Recommendation

When setting up a new Remote Access VPN I recommend to always change to a custom tunnel and set a Peer ID.

name can be anything, doesn’t matter. i Typically use “default”

why? requirements change over time. a Peer ID allows having a selection of VPN policies that we can choose from. we can test new settings without disrupting existing users.

OR we could create a VPN for a consultant that has access to only 1 device.

Reason #2 is Fortigate used to have a small bug where if a MacOS native VPN was created the Fortinet Client VPN would sometimes erroneously pick the wrong VPN and not be able to logon. Don’t know if this problem was fixed but Peer ID could help avoid similar problems in the future.

Maximum flexibility at the cost of typing in a group name.

This is more difficult to change after the initial rollout as you need to change all the existing VPN users or they can’t logon.

Also i never recommend SSL VPN. It had some security problems once and I still don’t trust it. If it’s already installed, do some aggressive GeoFiltering to limit your exposure.

more info here https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dialup/ta-p/192292

This is especially important when there are both IpSec and native iOS VPNs on the same Fortigate. iOS native will allways generate an error unless the PeerID is specified. The advantage is that you can create a PeerID for each internal network in use. We typically setup small businesses with a Office and a Security network.