How to make Fortinet SSL VPN safe to use

Is Fortinet SSL VPN Safe to use?

Without going into ZTNA and all the requirements necessary to make that work, how can your organization add security to your existing SSL VPN?

There are lots of vulnerabilities these days that come in through flaws in SSL VPNs, not just with Fortinet but many other vendors as well.... Customers have always been worried of any exposed web interface with input boxes, since they can be a vector for injection attacks etc. Many end users lock the vpn down to a self-generated CA/cert PKI and enforce requiring a client cert from an internal CA to connect, that's better than just a password, but what else can you do?

For SSL VPN do the following (from Matt in MI/NSE7)

• Setup MFA, SAML Authentication for SSL VPN
• Attach SSL VPN to a loopback interface via a VIP, You can apply regular firewall policies to inbound traffic for SSL VPN (allows you to use IPS and restrict traffic from threat feeds)
• Use firewall policies to only allow the USA (or other required countries) to hit the VIP
• Filter your sources to geolocations based on where your remote uses will be coming from.
• Put IPS on your inbound policy for the VIP
• Use threat feeds to block some traffic from being able to hit the VIP (Use Talos IP Blacklist and ProofPoint Emerging Threats IP List since they are both free)
• Configure FortiGate emails via automation stitch anytime an admin or VPN user logs in