Fortinet is removing SSL VPN tunnel mode from FortiOS and pushing every remote-access deployment toward IPsec VPN. The feature is already gone in FortiOS 7.6.3 and later, and tunnel mode was pulled from entry-level G-series and 2GB-RAM models even earlier. If your FortiGate still terminates remote workers over SSL VPN tunnel mode, you need a migration plan to IPsec (and, for app-level access, ZTNA) before your next firmware upgrade. Here is what changed, how the two protocols actually compare, and how to move without breaking remote access.
SSL VPN tunnel mode
SSL VPN tunnel mode is FortiGate’s client-based remote-access method that builds a full network tunnel over TLS (TCP 443) using FortiClient. It differs from SSL VPN web mode (now renamed Agentless VPN), which is a clientless HTTPS reverse proxy to internal web apps. Fortinet has replaced tunnel mode with IPsec VPN; web/Agentless mode continues on supported models.
Is Fortinet really removing SSL VPN from FortiGate?
Yes. Fortinet has removed SSL VPN tunnel mode from FortiOS 7.6.3 onward, and it is no longer available in either the GUI or CLI on affected models. The rollout was phased: FortiOS 7.6.0 dropped SSL VPN (web and tunnel) from models with 2GB of RAM or less, FortiOS 7.4.8 removed it from the G-series entry-level FortiGates (50G, 70G, 90G and variants), and 7.6.3 completed the removal of tunnel mode across the lineup. Your SSL VPN tunnel-mode configuration will not carry forward through the upgrade, so it must be migrated to IPsec before you move to 7.6.3 or later.
The driver is risk. SSL VPN appliances across the industry have been a repeated target for exploitation, and a listening SSL VPN portal is internet-exposed attack surface. Fortinet’s answer is to standardize remote access on IPsec, which can run over TCP 443 to keep the firewall-friendly behavior that made SSL VPN convenient, while removing the web-portal exposure.
Do not upgrade a FortiGate straight to FortiOS 7.6.3+ if it still relies on SSL VPN tunnel mode. The upgrade does not convert your settings, so remote workers can lose access the moment the firmware reboots. Build and test the IPsec configuration first, then upgrade. Also note FortiOS 7.2.x reaches end of support in September 2026, so plan the firmware move and the VPN migration together.
What is the difference between SSL VPN and IPsec VPN?
The core difference is the layer each protocol works at. SSL VPN operates at the application layer over TLS, so it can tunnel through a browser or a light client and passes through firewalls easily on TCP 443. IPsec VPN operates at the network (IP) layer and encrypts the entire packet, which gives it stronger, more standardized cryptography and better performance at scale, at the cost of needing a configured client. In FortiGate’s case, IPsec can now also be configured to use TCP port 443, so it keeps the NAT and firewall traversal that used to be SSL VPN’s main advantage.
IPsec VPN
IPsec VPN is a network-layer VPN standard that authenticates and encrypts IP packets using IKE (Internet Key Exchange) for negotiation and ESP for encryption. On FortiGate remote-access deployments, FortiClient connects as a dialup IPsec client, typically with IKEv2, and can encapsulate ESP inside TCP on port 443 to cross carrier-grade NAT and networks that block native IPsec.
SSL VPN vs IPsec VPN: which is more secure and faster?
IPsec is the stronger and faster choice for ongoing remote access, which is why Fortinet standardized on it. IPsec encrypts at the network layer with mature, widely audited cryptography (AES-GCM, IKEv2) and typically delivers higher throughput because encryption is offloaded to hardware on FortiGate. SSL VPN’s advantages were operational, not security: easy setup and clean firewall traversal on TCP 443. With IPsec-over-443 now available, IPsec keeps that convenience while closing the exposure gap. The table below compares them across the dimensions that matter when you plan a migration.
| Dimension | SSL VPN (tunnel mode) | IPsec VPN |
|---|---|---|
| OSI layer | Application layer (TLS) | Network layer (IP) |
| Encryption | TLS ciphers; portal exposure | IKEv2 / ESP, AES-GCM; no web portal |
| Performance | Higher CPU overhead, lags at scale | Hardware-offloaded, scales for enterprise load |
| Client experience | FortiClient or browser (web mode) | FortiClient 7.4.1+ (IKEv2 for 7.4.4+) |
| NAT / firewall traversal | Native on TCP 443 | NAT-T, or TCP-encapsulated on custom port 443 |
| Best for | Legacy clientless web-app access (Agentless VPN) | Full remote-access tunnels, site-to-site, scale |
| FortiOS status | Removed from tunnel mode in 7.6.3+ | Supported and recommended replacement |
7.6.3
FortiOS release where SSL VPN tunnel mode is fully removed and replaced by IPsec VPN (Fortinet release notes)
How do I migrate from SSL VPN to IPsec VPN on a FortiGate?
Migrate before you upgrade, not after. Build the IPsec dialup configuration on your current firmware, validate it with a pilot group, then push FortiClient and cut over. Fortinet’s recommended remote-access design is an IPsec dialup tunnel using IKEv2 with TCP encapsulation on a custom port 443, which mirrors the connectivity users had under SSL VPN. Here is the practical sequence.
Audit current SSL VPN usage: Identify who connects, from where, which internal resources they reach, and which FortiClient versions are deployed. This defines your firewall policies and split-tunnel scope.
Check firmware and hardware: Confirm the model’s FortiOS branch (mature production branches are 7.4 and 7.6; 7.6.6 is widely recommended) and move off 7.2.x before its September 2026 end of support. Right-size the appliance if the unit is undersized for full IPsec load.
Build the IPsec dialup tunnel: Use the FortiGate VPN wizard to create a remote-access IPsec tunnel with IKEv2, TCP encapsulation, and a custom listening port of 443 so it traverses restrictive networks and carrier-grade NAT.
Update FortiClient and push the profile: Deploy FortiClient 7.4.1 or later (use IKEv2 for FortiClient 7.4.4+), distribute the IPsec profile via EMS, and pilot with a small group before the full rollout.
Cut over and decommission: Move users to IPsec, confirm access to every required resource, then disable the SSL VPN portal to remove the exposed attack surface before upgrading to FortiOS 7.6.3+.
Run SSL VPN and IPsec in parallel during the pilot. FortiGate can serve both at once, so you can move users in waves and keep a rollback path. Only disable the SSL VPN portal once the last group is confirmed working on IPsec. For step-by-step FortiGate VPN setup, see our guide on how to set up a VPN using Fortinet’s FortiGate.
Where does ZTNA fit, and what happens to SSL VPN web mode?
IPsec replaces the full-tunnel use case; ZTNA replaces per-application access, and SSL VPN web mode survives as Agentless VPN for clientless browser access to internal web apps. The strongest long-term posture is to move general remote connectivity to IPsec and shift specific application access to Zero Trust Network Access, which grants access per session based on device posture and identity instead of dropping every user onto the network. If your users only need a handful of internal web apps, Agentless VPN or ZTNA may remove the need for a full tunnel entirely.
Think in three lanes: IPsec VPN for full network access, ZTNA for granular per-app access with posture checks, and Agentless VPN (formerly SSL VPN web mode) for clientless web-app access. SSL VPN tunnel mode is the only piece being retired. Note that when ports overlap, ZTNA and SSL VPN take precedence over IPsec, so plan listener ports before you deploy both.
As a Fortinet Advanced Partner, BALANCED+ plans and executes these migrations end to end: auditing current SSL VPN usage, sizing the right FortiGate, building and testing IPsec, and layering in ZTNA where it reduces exposure. For the deeper why-and-when, read FortiGate SSL VPN is going away: migrate to IPsec. If you want a hand, our managed firewall services cover the whole transition.
Sources
- Fortinet Document Library: SSL VPN tunnel mode replaced with IPsec VPN (FortiOS 7.6.6 release notes)
- Fortinet Document Library: SSL VPN removed from 2GB RAM models for tunnel and web mode (FortiOS 7.6.0)
- Fortinet Document Library: SSL VPN tunnel mode to IPsec VPN migration (FortiOS 7.6.6 admin guide)
- Fortinet Document Library: Configuring IPsec tunnels using the VPN wizard (SSL VPN to IPsec migration)
- Fortinet Document Library: Migrating from SSL VPN to ZTNA