Fortinet’s Quiet War on Linux Workstations#
FortiOS 7.6.3 kills SSL VPN tunnel mode. IPsec is now mandatory.
Linux users? They just got hit with a licensing tax.
The FortiClient Divide#
- Windows & macOS: Standalone client supports both SSL and IPsec.
- Linux: Standalone client supports SSL only.
IPsec exists for Linux. It works. It is in the code. But you need EMS to use it. This is not a technical limitation. It is deliberate product segmentation.
The Painful Irony#
Linux powers most of the world’s infrastructure. FortiGate itself runs on Linux. Yet the engineers keeping these systems running are treated as second-class citizens.
The Result#
Linux engineers fall back on StrongSwan or OpenFortiVPN just to connect. Centralized security is gone. Workarounds are everywhere. All because of a licensing model.
The Real Risk#
When engineers are backed into a corner by licensing, they get creative. SSH hops. Reverse tunnels. Custom scripts. They work, but they bypass central governance, reduce visibility, and actively undermine enterprise security policies.
As noted by security experts like Edwin Ribbers, most incidents don’t start with malicious engineers. They start with decisions made in the boardroom. Forcing Linux users into workarounds through licensing and product segmentation is a perfect example. Policy choices, not technical skills, become the weak link.
The Bottom Line#
Fortinet saves a few licensing bucks. Engineering teams pay with operational risk. Forcing engineers to invent their own solutions creates bigger problems than the original VPN ever did.
When licensing models dictate your OS strategy, your infrastructure has already lost.
Key Takeaways#
- Vendor-imposed segmentation creates operational risk, not security.
- Linux engineers are often forced into workarounds that undermine governance.
- Boardroom decisions matter more than technical skills in enterprise security.
- A cheap licensing save becomes massive technical debt for the organization.