If your business runs remote access through a FortiGate firewall, the way your team connects from home is about to change, and the deadline is closer than most IT leaders realize. Fortinet is removing SSL VPN tunnel mode from FortiOS, the feature that powers the FortiClient remote access VPN that thousands of Canadian businesses rely on every day. On newer G-series FortiGate appliances, it is already gone.
This post breaks down exactly which FortiOS versions and FortiGate models are affected, the timeline you need to plan around, and how to migrate from SSL VPN to IPsec VPN without locking your remote workforce out.
SSL VPN tunnel mode is being phased out of FortiOS. FortiOS 7.6.2 is the last release to support it on most FortiGate models, and 7.6.3 removes it entirely. New G-series FortiGates do not support SSL VPN at all. If you use FortiClient remote access VPN, you must migrate to IPsec VPN before upgrading to 7.6.3 or moving to G-series hardware. Plan the switch now rather than discovering it during an upgrade.
SSL VPN tunnel mode is the FortiGate remote access method that uses the FortiClient agent to create a full network tunnel over an encrypted HTTPS connection. It lets remote employees access internal company resources as if they were on the office network. Fortinet is deprecating this feature in favour of IPsec VPN, which uses a different, more standardized encryption protocol for the same job.
What Is Changing With FortiGate SSL VPN?
Fortinet is retiring SSL VPN tunnel mode across the FortiOS product line and steering all remote access toward IPsec VPN. This is not a security advisory or an emergency patch. It is a planned architectural change that arrives gradually through normal firmware upgrades, which is exactly why it catches teams off guard. You will not see it until the day you push a firmware update and your remote users can no longer connect.
According to Fortinet’s technical documentation on SSL VPN support across FortiGate models, the removal is happening on two tracks at once. The first track is hardware: the newer G-series FortiGate appliances ship without SSL VPN support, full stop. The second track is firmware: as you move up through the FortiOS 7.6 releases, SSL VPN tunnel mode is removed model by model until it disappears completely in 7.6.3.
If you upgrade a FortiGate to FortiOS 7.6.3 or later without migrating first, SSL VPN tunnel mode will stop working and your remote employees will lose access. Confirm your VPN method before scheduling any firmware upgrade to 7.6.3.
FortiOS Version Timeline: When SSL VPN Goes Away
The single most useful thing you can do right now is map your current FortiOS version against the removal timeline. SSL VPN tunnel mode does not vanish in one release. It is pulled progressively, starting with low-memory and entry-level models and ending with a complete removal in FortiOS 7.6.3. Here is how the releases line up.
| FortiOS Version | SSL VPN Tunnel Mode Status |
|---|---|
| 7.4.x | Supported, except some newer entry-level G-series models in later releases |
| 7.6.0 | Removed only on certain low-memory (2 GB RAM) models; still available on most others |
| 7.6.1 | Removed on additional desktop and entry-level models (40F, 60E/F, 80E, 90E, 90G, and similar) |
| 7.6.2 | Last version with SSL VPN tunnel mode available where supported |
| 7.6.3+ | SSL VPN tunnel mode removed on all FortiGate models; migrate to IPsec VPN |
There is one more date that matters and it is easy to miss. FortiOS 7.4 is scheduled to reach end of support in 2027, which means staying on an older release to keep SSL VPN alive is not a long-term plan. You will run out of security updates on 7.4 around the same time you would otherwise be forced off SSL VPN by the 7.6 line. Either path leads to IPsec, so the practical question is simply when you do the work, not whether.
Not everything SSL-based is disappearing. SSL VPN web mode, the clientless browser portal, survives in a modified form and is renamed Agentless VPN in later FortiOS releases. It is the agent-based tunnel mode (FortiClient remote access) that is being removed.
Why Are G-Series FortiGates Affected First?
G-series FortiGate appliances do not support SSL VPN at all, which makes them the clearest signal of where Fortinet is heading. If you have recently purchased or are about to deploy a G-series firewall, IPsec VPN is your only built-in remote access tunnel option from day one. There is no SSL VPN tunnel mode to fall back on, regardless of which FortiOS version you run.
This matters most during hardware refreshes. A common scenario we see with GTA mid-market firms is a business replacing an aging FortiGate 60E or 90E with current G-series hardware, restoring the configuration, and assuming remote access will carry over. It will not. The SSL VPN configuration has nowhere to land on the new appliance. Any refresh onto G-series hardware needs an IPsec VPN migration baked into the project plan, not treated as a surprise after cutover.
Before approving any FortiGate hardware purchase, confirm whether the model is G-series and plan your remote access around IPsec VPN from the start. Building IPsec into the initial deployment is far cheaper than retrofitting it after users are already connecting through a method that is about to break.
How Do You Migrate From SSL VPN to IPsec VPN?
Migrating from SSL VPN to IPsec VPN is a planned project, not a single config toggle. The encryption protocol, client configuration, and authentication flow all change, and the safest approach is to run both methods in parallel during the transition so you can move users in controlled batches. Here is the sequence we follow.
Inventory your VPN footprint: Identify every FortiGate in your environment, its exact FortiOS version, its model, and how many users connect through SSL VPN tunnel mode today. This tells you who is affected and how urgent the timeline is for each site.
Build the IPsec VPN configuration: Configure dial-up IPsec VPN on the FortiGate with the right encryption proposals, authentication method, and split-tunnel or full-tunnel routing to match your security policy. Integrate it with your existing identity provider and multi-factor authentication.
Run SSL and IPsec in parallel: Keep SSL VPN active while you stand up IPsec alongside it. This gives you a rollback path and lets you migrate users in waves instead of a single high-risk cutover.
Pilot, then roll out in batches: Move a small test group to IPsec first, validate access to every critical resource, then expand. Update the FortiClient configuration and provide clear instructions so end users are not left guessing.
Decommission SSL VPN and upgrade firmware: Once everyone is on IPsec and stable, disable SSL VPN tunnel mode and proceed with your FortiOS upgrade to 7.6.3 or later, confident that remote access will not break.
FortiOS Upgrade Best Practices: Don’t Jump Too Far Ahead
The SSL VPN change is a reminder of a broader discipline: upgrade FortiOS deliberately, not aggressively. Fortinet designates specific releases as recommended, often called the “Gold” or mature release, and that is almost always where a production firewall should live. The newest available version is rarely the right place for a business-critical appliance, and the oldest supported version leaves you exposed. The sweet spot is the recommended release for your specific model.
- Check Fortinet’s recommended release for your exact FortiGate model before every upgrade. The right version differs by hardware.
- Follow the supported upgrade path. Jumping multiple major versions in one step can corrupt configurations or strip features like SSL VPN without warning.
- Read the release notes for the target version, specifically the removed and deprecated features section, before you schedule the work.
- Test in a maintenance window with a config backup and a rollback plan. Never upgrade a production firewall during business hours on a whim.
- Start planning for FortiOS 8 now. Knowing what is coming lets you sequence hardware refreshes and feature migrations on your schedule instead of reacting to a forced change.
The most expensive FortiOS upgrades are the rushed ones. A planned migration with parallel VPN methods and a tested rollback costs a fraction of an emergency response after remote staff are locked out on a Monday morning.
SSL VPN tunnel mode is on its way out of FortiOS, and IPsec VPN is the path forward for every FortiGate remote access deployment. The businesses that handle this well are the ones that inventory their firewalls now, build IPsec alongside SSL VPN, and migrate users in controlled batches before a firmware upgrade forces the issue. The deadline is set by your own upgrade schedule and FortiOS 7.4’s end of support, so the time to plan is today.
At Balanced+, we manage and secure FortiGate environments for mid-market businesses across Toronto and the GTA, including firmware lifecycle planning and VPN migrations that keep remote teams connected through the transition. If you are not sure which FortiOS version your firewall runs or whether SSL VPN removal affects you, our team can audit your environment and build the migration plan for you. Learn more about our cybersecurity and managed firewall services.
Frequently Asked Questions
Is FortiGate SSL VPN being discontinued?
SSL VPN tunnel mode, the agent-based FortiClient remote access VPN, is being removed from FortiOS. FortiOS 7.6.2 is the last release that supports it on most models, and 7.6.3 removes it entirely. SSL VPN web mode survives in a renamed form called Agentless VPN, but the full tunnel feature most businesses use for remote access is being discontinued in favour of IPsec VPN.
Which FortiOS version removes SSL VPN?
FortiOS 7.6.3 removes SSL VPN tunnel mode on all FortiGate models. Removal begins earlier on certain low-memory and entry-level models in 7.6.0 and 7.6.1, but 7.6.2 is the last version where it remains available where supported. You must migrate to IPsec VPN before upgrading to 7.6.3 or later.
Do G-series FortiGate firewalls support SSL VPN?
No. G-series FortiGate appliances do not support SSL VPN tunnel mode at all, regardless of FortiOS version. If you deploy or refresh onto G-series hardware, IPsec VPN is your only built-in remote access tunnel option, so plan your remote access around IPsec from the start.
Is IPsec VPN better than SSL VPN on FortiGate?
For FortiGate remote access going forward, IPsec VPN is the supported and recommended method, which makes it the practical choice. IPsec uses a standardized encryption protocol and is built into current and future FortiGate hardware, including G-series models. SSL VPN tunnel mode is being removed, so even if your team prefers it today, IPsec is where remote access is heading.
Sources
- Technical Tip: SSL VPN support on FortiGate models, Fortinet Community, 2025.
- FortiOS 7.6.3 Release Notes, Fortinet Document Library, 2025.
- FortiOS 7.4 Release Notes and Product Lifecycle, Fortinet Document Library, 2025.
