Legacy Hardware vs. Modern Software Architecture
See how Defguard's Enterprise VPN solution architecture stacks up against the limitations of traditional, all-in-one security appliances. Select a topic below to compare.
Traditional Appliance (FortiGate)
Whether you use the official FortiClient or a client wrapper like OpenFortiVPN, you are still tethered to the slow, vulnerable SSL VPN protocol on a monolithic appliance. It's a single point of failure.
Defguard Architecture
Defguard is not a client wrapper. It is a complete Protocol-Based Solution that replaces the vulnerable SSL VPN stack with a modern WireGuard® Gateway. Built on a secure, stateless architecture, it isolates components and keeps the Core Control Plane physically inaccessible from the internet, eliminating the attack surface.
[ DMZ ]
[ Core Control Plane ] ↔ [ Internal Network ]
Fortinet Pricing & Hardware Lock-in
- Expensive hardware purchases required.
- Security updates often demand costly equipment upgrades.
- Creates a cycle of vendor lock-in and escalating costs.
Defguard's Freedom
- A true FortiGate VPN alternative. Completely hardware and system-agnostic.
- Deploy on any hardware or cloud provider (AWS, GCP, Azure).
- Software-defined for maximum flexibility and cost-efficiency.
The FortiGate Black Box
- Closed-source code prevents inspection.
- No way to verify security claims or patches.
- Impossible to confirm if attackers persist after a breach.
- You must trust the vendor's promises completely.
Defguard's Inspectability & Verifiability
- Full inspectability with open-source code.
- Transparent development, testing, and release process.
- Public penetration testing reports.
- Full system access enables comprehensive monitoring.
FortiClient's Costly 2FA
Typically offers basic 2FA, often with additional costs for proprietary tokens or services.
- Basic 2FA (e.g., TOTP)
Defguard's True Multi-Factor Authentication
Provides true, layered Multi-Factor Authentication out-of-the-box for robust security.
- Biometry
- TOTP
- Email Codes
- WireGuard PSK
FortiGate's Limited SSO
Support for SSO/IdP is often limited to a few major enterprise providers, restricting your choices.
Supported: ADFS, Microsoft Entra ID, Okta, Google Workspace.
Defguard's Broad Integration
Extensive support for on-premise and cloud-based SSO/IdP solutions via OpenID Connect.
Supported: LDAP, Active Directory, Google Workspace, Azure EntraID, Okta, JumpCloud, Zitadel, ...and more.
The ROI of Switching: Engineered for Speed & Security
Replace legacy friction with measurable performance. Defguard upgrades your infrastructure with a modern, auditable stack that respects your team's time.
Instant Connection (< 100ms)
95% Reduced Attack Surface
4x Faster Throughput
Eliminate VPN Headaches for Your Entire Team
Defguard provides the security, control, and flexibility your team needs, no matter your role.
For CISO & IT Management
- Mitigate Risk: Secure, stateless architecture minimizes your attack surface.
- Escape FortiGate SSL VPN vulnerabilities
- Ensure Compliance: Full inspectability and transparent security empower audits.
- Control Costs: Avoid vendor lock-in and FortiGate costs complexity
For Sys Admins
- Easy Deployment: Hardware-agnostic software for flexible installations.
- Simplified Management: Easy upgrades and seamless integration with existing tools.
- Full Visibility: Comprehensive system and network monitoring on-device.
For DevOps
- Automated & Fast: Built on WireGuard for high performance and speed.
- Hybrid Cloud Ready: Deploy on-premise or in any major cloud environment.
- Flexible Integration: Extensive SSO/IdP support via OpenID Connect.
Engineered for the Modern Network
Defguard is more than just a replacement—it's an upgrade designed for today's dynamic infrastructure demands.
Engineered for Speed
Hybrid Cloud Ready
Easy, Verified Updates
Trusted by Industry Leaders
Organizations worldwide trust Defguard to secure their critical infrastructure and protect their digital assets.
Trusted by:
Comparison matrix
Let's start with a high-level feature comparison between Defguard and Fortinet, then we'll dive into the critical details.
| Feature | Defguard | Fortinet VPN (FortiClient + FortiGate) |
|---|---|---|
| VPN Protocol | WireGuard® - Fast, stateless, minimal attack surface. | IPsec & SSL VPN - Slower, stateful, legacy protocols. |
| Architecture | Modern Microservices - Segregated control & data planes. | Appliance-Centric Monolith - Centralized, public-facing FortiGate. |
| Post-Breach Resilience | High - Designed to resist persistent threats. | Critically Low - Malware on FortiGate (COATHANGER) survives patches. |
| MFA Enforcement | Protocol-level MFA - Built-in, every connection authenticated. | Session-Based 2FA. Authenticates only once at login. Native tokens usually require separate licensing (like FortiToken). |
| Open Source | Yes - Fully open-source, written in Rust for verifiable security. | No - Proprietary, closed-source system. |
| Identity Management | Built-in IdP & simple SSO integration (Microsoft, Google, Okta). | Fragmented. Basic local config per-firewall. Scalable IAM often requires FortiAuthenticator. |
| Onboarding | User-centric & automated - Self-service via enrollment tokens. | Administrator-driven & manual via FortiClient EMS. |
| Performance | Superior - High throughput, low latency via peer-to-peer connections. | Variable - Centralized gateway bottlenecks. |
| Cost | Simple & Predictable - Subscription-based, all features included. | Complex & Opaque - Multiple hidden license fees. |
Architecture: Why the Fortinet Monolith is Slow
Fortinet's VPN solution relies on a traditional model where the FortiClient endpoint connects to a central FortiGate appliance. All traffic is funneled through a central FortiGate appliance. This monolithic architecture, where dozens of services are bundled into the FortiOS codebase, creates a single, massive point of failure and a performance bottleneck. For a Head of IT, this means any attack on the gateway can bring the entire remote access infrastructure down.
In stark contrast, Defguard employs a modern microservice architecture that segregates the control and data planes. The control plane operates exclusively within your internal network, inaccessible from the public internet. The data plane, built on WireGuard®, is decentralized, enabling direct connections that eliminate bottlenecks, improve latency, and enhance reliability.
Defguard Secure Architecture
Defguard's secure microservice architecture: Internal Core and external stateless Proxy (public-facing) ensure sensitive data never leaves your internal network while providing secure remote access.
Security: Vulnerabilities & The "Unpatchable" Risk (COATHANGER)
This is the most critical differentiator. Fortinet's security model has proven to be dangerously fragile against sophisticated threats.
The FortiGate appliance's design has resulted in a recurring pattern of critical, remotely exploitable vulnerabilities (like CVE-2024-21762). These flaws have been actively exploited by state-sponsored actors like China's Volt Typhoon to gain initial access to critical infrastructure.
However, the greatest failure is the inability to recover from a breach. According to Dutch intelligence services (MIVD), a custom Remote Access Trojan named COATHANGER was developed specifically for FortiGate devices. This malware:
- Survives reboots and firmware upgrades.
- Hides its presence by hooking system calls, making it invisible to standard admin tools.
- Was used to compromise at least 20,000 FortiGate devices globally.
For a CISO, this is a catastrophic risk. It means that even after applying a patch, the FortiGate device cannot be trusted, creating unacceptable business risk.
Defguard's foundation on its open-source Rust codebase provides a modern, auditable cryptographic suite with a minimal attack surface. You can verify the code, not just trust a vendor's opaque security claims.
Identity: Native MFA vs. The FortiAuthenticator Trap
Fortinet requires a complex ecosystem for modern authentication, needing separate products like FortiAuthenticator for SSO and FortiToken for MFA. This fragments security and inflates costs.
Defguard simplifies this natively. It includes a built-in Identity Provider (IdP) and supports any OIDC provider (Microsoft, Google, Okta) out of the box, with no extra licenses, reducing the burden on IT teams.
Access Control: Identity-Based vs. Static IP Rules
Defguard uses a flexible, identity-based ACL system. Policies are tied to user identity, not static IP addresses, making them more secure and easier to manage than the complex rule sets on a centralized FortiGate appliance.
Strategic Impact: Hardware Security vs. Software Agility
The choice between Fortinet and Defguard is a choice between two fundamentally different security philosophies. The table below shows the real-world consequences of each architectural approach.
| Security Principle | Legacy Appliance Approach (FortiGate) | Modern ZTNA Approach (Defguard) |
|---|---|---|
| ZTNA implementation | Perimeter-Based. Trust is assumed once connected. Even with "Fortinet ZTNA" features, the underlying architecture relies on a persistent tunnel that allows lateral movement. | Pure identity-first ZTNA: protocol-level MFA with dynamic session keys; no implicit trust, every session fully reauthenticated before tunnel establishment. |
| Attack Surface | Large, monolithic, and complex; a single vulnerability can lead to full device compromise, as repeatedly demonstrated by multiple critical CVEs. | Based on a secure microservice architecture. Each component is independent, eliminating single points of failure and drastically reducing the attack surface. |
| Vulnerability Impact | High; a perimeter breach grants state-sponsored actors a long-term foothold for lateral movement and deep network access. | Contained; breaches are isolated by design. The "blast radius" of any single component failure is minimized. |
| System Integrity | Assumed & Fragile; vulnerable to persistent threats (e.g., COATHANGER) that survive reboots and patches, rendering the device untrustworthy. | Verified & Resilient; employs continuous integrity monitoring and immutable components to ensure the platform remains trustworthy. |
| Vendor Transparency | Opaque & Vendor-Centric; "silent patching" leaves customers unknowingly exposed while attackers reverse-engineer fixes. | Transparent & Customer-Centric; timely disclosure empowers defenders to accurately assess risk and take immediate action. |
Management & Setup: Automated Provisioning vs. FortiClient EMS
Scaling remote access creates an "Empty Client" problem: distributing the app is easy, but securely distributing secrets is hard. Fortinet forces you to buy FortiClient EMS to solve this. Defguard solves it using the infrastructure you already own: Active Directory or Entra ID.
We offer true Zero-Touch Provisioning. Admins batch-generate tokens via API and sync them to user profiles. When you push the MSI via Intune or GPO, the client auto-detects the domain, retrieves the token, and pre-configures itself. Users launch the app and connect immediately: no emails, no copy-pasting, and no Helpdesk tickets.
To simplify evaluation, we provide a one-line install script to deploy a complete test instance, allowing you to get familiar with the solution's features quickly. For production-ready rollout, we support modern workflows with deployment options for Docker Compose, Terraform for AWS, and Kubernetes.
Pricing: Transparent Subscription vs. Hidden Licensing Fees
Fortinet's pricing requires multiple, separate licenses for FortiGate hardware, FortiClient endpoints, MFA, SSO, and mandatory support contracts, leading to unforeseen costs.
Defguard offers several plans, including our comprehensive Enterprise plan designed for business-critical deployments. This approach ensures straightforward, subscription-based pricing without the hidden fees common in the Fortinet ecosystem. For a full comparison of our plans, please see our pricing page.
The Bottom Line: Why Modern Teams Switch
Fortinet's VPN solution is a traditional VPN defined by its legacy architecture and a demonstrated history of critical security failures. The FortiGate appliance's design allows for persistent compromises that survive patching – a risk modern businesses cannot afford.
Defguard provides a modern, resilient alternative. Built on the secure WireGuard® protocol, its microservice architecture and open-source transparency offer a solution engineered to withstand the advanced threats that target legacy systems.
Ready for a Resilient VPN?
Stop patching a broken architecture. Move to a platform designed for the modern threat landscape.
Frequently Asked Questions
How does Defguard protect against vulnerabilities like COATHANGER?
Legacy appliances are vulnerable to persistent malware because they run large, monolithic codebases. Defguard is built on a modern microservices architecture and open-source Rust code, minimizing the attack surface. Unlike legacy protocols which are inherently complex, WireGuard is lean and auditable. Read about the fundamental limitations of the SSL VPN protocol.
Can I use Defguard client to connect to my existing FortiGate SSL VPN?
No. Defguard is not a "Direct Fortinet Replacement" client wrapper like OpenFortiVPN. We replace the entire legacy VPN stack. Defguard is a Protocol-Based Solution that requires installing a secure Gateway (Server) to handle traffic using the modern WireGuard® protocol instead of slow SSL VPN tunnels.
How is Defguard different from OpenVPN or raw WireGuard®?
Defguard belongs to the Protocol-Based Solutions category (like OpenVPN Access Server) but offers a modern architecture. While OpenVPN is legacy software and raw WireGuard lacks management features, Defguard provides a complete VPN Platform. It combines WireGuard performance with an Enterprise Management UI, MFA/2FA, and SSO — everything included in a self-hosted setup.
Do I need a separate license for endpoint and device management like FortiClient EMS?
No. Unlike Fortinet's fragmented model (Gateway + EMS), Defguard is a single, cohesive platform. Identity management, policy enforcement, and device provisioning are integrated directly into the system, not sold as an add-on. You get a unified control plane for both network access and fleet management — eliminating the need to deploy or license a separate EMS server.
Can I replace Fortinet's VPN solution without replacing my FortiGate firewall?
Yes. You can keep your existing FortiGate firewall for perimeter security and simply offload the VPN traffic to Defguard. Deploying Defguard alongside your current firewall (as a "sidecar") is the fastest way to upgrade your remote access performance without disrupting your core network infrastructure. Read our step-by-step guide on how to migrate from SSL VPN to WireGuard.
Does Defguard provide Zero Trust (ZTNA) and SSO integration?
Defguard enables a self-hosted ZTNA architecture by enforcing "Identity-First" access. We natively integrate with any OIDC Provider, including Microsoft Entra ID (Azure AD), Okta, and Google Workspace. Unlike legacy VPNs that trust IP addresses, Defguard verifies user identity and MFA status before allowing access. This delivers robust Zero Trust security out of the box — eliminating the need for expensive components like FortiAuthenticator.