1

Hi All,

We have 300 end users, and nearly all of them work remotely. We’ve just set up new SIEM tool but we have a problem. Since people work remote and they don’t even remember to connect VPN, we won’t be able to collect instant LOG. We are also having issues with deploying group policies etc. since they don’t connect VPN often. I wonder is there any way to force users to connect VPN to use their laptops or go to web etc. Even if there is a way to do it, can the firewall (Fortigate-90G) handle 250-300 users connected to VPN at the same time? Or any other solutions?

Thanks in advance.

11 Spice ups
2

The FortiGate 90G firewall supports IPsec VPNs but does not support SSL VPNs. It offers a high IPsec VPN throughput of 25 Gbps and can handle 200 gateway-to-gateway and 2500 client-to-gateway IPsec VPN tunnels. While earlier firmware versions may have allowed configuring SSL VPN on the 90G, this feature has been removed in later versions, including 7.6.1 and later, according to Fortinet.

Here’s a more detailed breakdown:

IPsec VPN:

  • Throughput: The FortiGate 90G boasts a strong IPsec VPN throughput of 25 Gbps (with 512-byte packets).
  • Tunnel Capacity: It can manage 200 gateway-to-gateway IPsec VPN tunnels and 2500 client-to-gateway IPsec VPN tunnels.
  • Configuration: IPsec VPNs are configured using the site-to-site VPN wizard or manually.
4 Spice ups
3

VPN usage should be handled by company policy, unless you wish to block all access to apps/files outside of VPN/internal network use. Enforcement will always be hit or miss, either way. Some people will just ‘pop on’ to check a thing or send something so not bother with the VPN and honestly, blocking access is the only way to make that VPN step happen in that case.

1 Spice up
4

what SIEM? if this is a cloud based solution it probably has an agent that can be installed to collect the logs of your endpoints

2 Spice ups
5

Look into “Always On VPN” Solutions. These are VPNs that have a component to detect if a device is outside the building and automatically connect.

Microsoft Always On VPN is one such option. It sounds like your Fortinet supports an IPsec Always on VPN configuration FortiClient EMS - Auto-connect a VPN Tunn… - Fortinet Community

2 Spice ups
6

Yes set vpn to always connect. even if you allow split tunnel you will still thyen have management of devices at all times.
If you use the Microsoft vpn client then you should implement windows always on vpn.
If you use a FortiGate client then google ‘forticlient autoconnect’ and there are many links to instructions.

2 Spice ups
7

UTMStack, its not cloud based we have it in our local esxi

1 Spice up
8

Thank you for detailed information.

1 Spice up
9

I’m a little worried if things get worse, but I think we’ll think about your comments and make a decision soon.

1 Spice up
10

I might be alone in this world when it comes to the indiscriminate use of VPN in the hands of regular users. When you dig deeper into the breaches that occur from Fortune 500 to mom and pop businesses, in almost 70% of cases the culprit is always a client VPN. I will keep pushing against software VPN until I die, because I think is utterly idiotic to actually give direct access into your infrastructure to devices that you might not always know what’s going and even if you do, you cannot be 100%. Besides having some many other alternatives that are as secure and do not expose the internal network and DO NOT require any software installation (which needs to be maintained) why keep insisting on client VPN?

3 Spice ups
11

ALWAYS airgap work and personal. Two phones, two laptops etc. For work phones and computers VPN forced always on and zero trust. For personal phone and laptop, whatever the user chooses - none of work’s business.

2 Spice ups
12

You’re absolutely not alone in facing the “VPN forgetfulness” challenge. With 300 remote users and key pain points like log collection and GPO deployment, here’s my strategic advice approach to tighten compliance without relying solely on user memory or Dementia users…

My advice on VPN setups is as follows:

:white_check_mark: Primary Recommendation: Always-On VPN

  • FortiClient EMS supports auto-connect IPsec VPN, ideal for seamless enforcement.
  • FortiGate 90G can handle up to 2500 client-to-gateway tunnels, so capacity-wise you’re covered.
  • Configuring this eliminates the “forgot to connect VPN” issue and ensures logs, policies, and updates happen on time.

:counterclockwise_arrows_button: Alternative: Zero Trust Access

If you want to move away from blanket VPN access:

  • Fortinet Universal ZTNA: Grant access to specific apps only after validating user/device identity. Great for reducing exposure.
  • Split Tunnel + ZTNA Hybrid: Useful for balancing full control over critical services (via VPN) and limited access via ZTNA.

:satellite_antenna: SIEM Integration Without VPN

  • Agent-Based Log Collection: Even if your SIEM (UTMStack in ESXi) isn’t cloud-based, check if there’s an endpoint agent available. This allows log collection without needing VPN tunnels.
  • Remote Management via Intune/GPO over Internet: With proper security hardening, Microsoft Endpoint Manager (Intune) can push policies without VPN.

:warning: Policy Enforcement Tips

  • Block internal resource access unless VPN is active (enforced by FortiGate policies).
  • Use startup scripts to notify users when VPN is disconnected.
  • Consider “login event triggers” to force VPN reconnect if off-network.

:brain: TL;DR: Auto-connect VPN is your low-friction solution. ZTNA is the future-proof path. And don’t underestimate endpoint agents—they’re your SIEM’s best friend in a remote-first world.

Good Luck Bro, and don’t let those Forgetasaurus Memory ninja users ruin your day :wink:

1 Spice up