Fortigate New VPN Recommendation

When setting up a new Remote Access VPN I recommend to always change to a custom tunnel and set a Peer ID.

name can be anything, doesn’t matter. i Typically use “default”

why? requirements change over time. a Peer ID allows having a selection of VPN policies that we can choose from. we can test new settings without disrupting existing users.

OR we could create a VPN for a consultant that has access to only 1 device.

Reason #2 is Fortigate used to have a small bug where if a MacOS native VPN was created the Fortinet Client VPN would sometimes erroneously pick the wrong VPN and not be able to logon. Don’t know if this problem was fixed but Peer ID could help avoid similar problems in the future.

Maximum flexibility at the cost of typing in a group name.

This is more difficult to change after the initial rollout as you need to change all the existing VPN users or they can’t logon.

Also i never recommend SSL VPN. It had some security problems once and I still don’t trust it. If it’s already installed, do some aggressive GeoFiltering to limit your exposure.

more info here https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-use-Peer-IDs-to-select-an-IPSec-dialup/ta-p/192292