FortiOS 7.6.3 removed SSL VPN tunnel mode from every FortiGate model. No migration path, no backward compatibility. Existing configurations are deleted on upgrade. For the thousands of organisations running Fortinet infrastructure, this forced a decision point that goes beyond picking a new tunnel protocol.
Fortinet’s own answer is FortiSASE, a cloud-delivered extension of the FortiGate platform. It is a strong product with genuine enterprise capabilities and a recent Gartner Leader recognition. But strong for whom? FortiSASE was built to protect Fortinet’s installed base of 500,000+ FortiGate customers. The architecture, licensing, and management model reflect that heritage. For a 200-user European organisation with a five-person IT team, that heritage can become overhead.
This comparison breaks down ten criteria that matter when evaluating FortiSASE alongside Jimber, a Belgian SASE platform built specifically for the European mid-market. FortiSASE has real strengths, particularly for large enterprises deep in the Fortinet ecosystem. But for the mid-market organisations reading this, many of those strengths come bundled with complexity and cost that work against you.
How FortiSASE and Jimber differ in architecture
FortiSASE runs FortiOS virtual machines inside cloud points of presence. It is a cloud-extended version of the same operating system that powers FortiGate hardware. This gives existing FortiGate administrators a familiar policy language and consistent rule sets across on-premises and cloud environments.
The strength is interoperability. If you already run FortiGate firewalls, FortiSASE policies feel like home. The weakness is that you inherit FortiOS complexity in the cloud. Scaling is VM-based rather than container-based. Upgrades follow FortiOS release cycles. Multi-tenancy uses VDOM partitioning, the same model FortiGate has used for over two decades.
Jimber takes a different approach. The platform was built cloud-native from day one, with no on-premises hardware dependency. ZTNA runs on WireGuard tunnelling rather than HTTPS proxy. Policies are defined once in a single console and enforced across all users, devices, and sites. There is no secondary management server to purchase, no separate analytics platform, and no endpoint management console running alongside the core product.
For teams with deep Fortinet expertise and large existing FortiGate investments across dozens of sites, FortiSASE offers continuity. But continuity with a complex ecosystem is not the same as progress. Jimber removes the ecosystem dependency entirely: one platform, one console, one policy engine. For mid-market teams that need to move fast and operate lean, that architectural clean break is an advantage, not a compromise.
Quick comparison: FortiSASE vs Jimber at a glance
| Criterion | FortiSASE | Jimber |
|---|---|---|
| Architecture | FortiOS VMs in cloud PoPs | Cloud-native, single platform |
| ZTNA | HTTPS reverse proxy via FortiGate | WireGuard-based with stealth mode |
| SWG and FWaaS | FortiGuard AI/ML threat intelligence | Category-based filtering with browser isolation |
| SD-WAN | 5x Gartner Leader, mature | Integrated, cloud-managed |
| CASB and DLP | Inline and API-based CASB, DLP templates | Not included |
| OT/IoT device isolation | Requires FortiAP or FortiExtender (TCP only) | NIAC hardware, inline isolation |
| Browser isolation | Advanced tier add-on | Included in base platform |
| Management console | FortiSASE portal + FortiManager + FortiAnalyzer | Single console for all components |
| MSP multi-tenancy | Available, complex configuration | Built-in, partner-first design |
| Pricing model | Per-user + bandwidth tiers + add-ons | Per-user, no bandwidth surcharges |
| EU data sovereignty | US headquarters, CLOUD Act applies | Belgian company, full EU jurisdiction |
| Deployment time (reported) | 6-8+ months for full rollout | Pilot in weeks, full rollout in 1-2 quarters |
| Analyst recognition | Gartner SASE Leader 2025, SSE Challenger | No independent analyst coverage |
| Global PoP network | 170+ locations | Regional European focus |
| EDR/EPP | FortiClient included | Roadmap |
Pricing: what FortiSASE actually costs vs the headline number
FortiSASE licensing uses per-user subscriptions across three tiers: Standard, Advanced, and Comprehensive. UK Government Digital Marketplace pricing from 2024 shows base rates between roughly £78 and £304 per user per year, depending on the tier and volume band.
At face value, Standard tier pricing for a 200-user organisation works out to approximately £15,600 per year. Competitive with most SASE platforms. But the base subscription includes constraints that mid-market buyers often discover after signing.
Bandwidth is capped at 1.5 Mbps per user. Additional bandwidth blocks cost £867 per year per 25 Mbps. Standard and Advanced tiers are limited to four PoP locations selected during activation. Additional regions cost £8,673 per year for Fortinet Cloud or £26,019 for Public Cloud regions. Dedicated IP addresses, required for some compliance scenarios, start at £4,337 per year with a 500-user minimum.
Then there are the components outside the FortiSASE subscription. Secure Private Access, which enables ZTNA to applications behind your corporate network, requires a FortiGate acting as an SPA hub with a separate licence. FortiManager for unified policy management across FortiGate and FortiSASE is purchased separately. FortiAnalyzer for advanced logging and reporting is another line item.
For that same 200-user organisation, adding a second PoP region, bandwidth upgrades, the SPA hub licence, and FortiManager can push effective costs 50-80% above the headline per-user price. Gartner Peer Insights reviewers rate FortiSASE affordability anywhere from 3 to 9 out of 10, which tells you how variable the experience is depending on deployment scope.
Jimber uses flat per-user pricing with no bandwidth surcharges, no PoP location add-ons, and no separate management console licences. For a mid-market organisation working within a defined budget, the total cost is the quoted cost. That predictability extends to service partners: transparent pricing means predictable margins without renegotiating commercial terms for each customer engagement.
FortiSASE’s feature depth comes with a management tax
FortiSASE includes inline and API-based CASB for SaaS visibility and control. It has compliance-templated DLP for data loss prevention. Sandboxing via FortiGuard analyses unknown files in an isolated environment. FortiClient provides integrated EPP and EDR at the endpoint. IPS signatures, anti-malware scanning, DNS security filtering, and anti-spam all ship with the subscription. The Comprehensive tier adds Digital Experience Monitoring and SOC-as-a-Service integration.
That is an impressive feature list. On paper. In practice, each of those capabilities requires configuration, tuning, policy maintenance, and monitoring. CASB needs SaaS application mapping. DLP needs classification rules. Sandboxing needs exception handling. Every feature that ships unconfigured or poorly tuned creates a false sense of security and adds operational load to a team that is already stretched.
Jimber takes a deliberate approach: deliver the capabilities that mid-market teams will actually configure and use well. ZTNA, SWG, FWaaS, SD-WAN, device posture checks, and browser isolation cover the access control, web security, and connectivity needs that drive 90% of day-to-day security operations. For endpoint protection, most organisations already run a dedicated solution. For SaaS visibility, identity provider logs and SWG data cover the core use cases.
The result is a platform your team can operate at full capability from day one, rather than a platform where half the features sit untouched because nobody had three months to configure them.
Management complexity: one console vs three
This is where the architectural difference becomes an operational one.
A typical FortiSASE deployment for an organisation that needs both remote user protection and private application access involves the FortiSASE portal for cloud security policies, FortiGate for the SPA hub and on-premises enforcement, FortiClient EMS for endpoint posture management and ZTNA tagging, and optionally FortiManager and FortiAnalyzer for unified policy management and logging. Each component has its own interface, its own update cycle, and its own configuration model.
Fortinet administrators know this environment. They have certifications for it. But “knowing how to operate it” and “having the time to operate it well” are different things. PeerSpot reviewers report FortiSASE implementations taking 6-8 months or more. G2 reviewers cite steep learning curves and difficult setup among the top negatives.
Jimber operates from a single cloud-managed console. Policies for ZTNA, SWG, FWaaS, and SD-WAN are defined in one place. Device posture checks, user management, logging, and monitoring all live in the same interface. There is no separate EMS server to maintain, no per-application proxy definitions to configure, and no FortiClient agent dependency for basic access.
For MSPs managing multiple customer environments, this difference compounds. Jimber’s multi-tenant architecture lets service partners manage dozens of tenants from one interface using consistent templates. FortiSASE multi-tenancy is available but requires more complex configuration, and partner-facing operational tooling is less mature. When your service partner spends less time wrestling with console sprawl, you get faster support and lower managed service costs.
OT and agentless device coverage
Printers, IoT sensors, cameras, PLCs, HMIs, and industrial controllers cannot run endpoint agents. In a FortiGate environment, these devices typically sit on a VLAN with firewall rules controlling traffic. That provides some isolation, but it is network segmentation, not Zero Trust.
FortiSASE addresses agentless devices through FortiAP wireless access points and FortiExtender cellular gateways, managed through a separate workflow from the core FortiSASE portal. A known limitation is that FortiSASE agentless support handles TCP traffic only, with no UDP support. For industrial protocols that rely on UDP, this is a gap.
Jimber provides NIAC (Network Isolation Access Controller) hardware, a purpose-built appliance that sits inline between unmanaged devices and the network. NIAC enforces per-device policies from the same single console that manages everything else. It handles both TCP and UDP traffic. For production environments where a PLC communicates over Modbus (which uses TCP) or a BMS system uses BACnet (which uses UDP), the same isolation approach covers both.
This is one of Jimber’s strongest differentiators. Organisations with mixed IT and OT environments, manufacturing floors, logistics operations, healthcare facilities with connected medical devices, can bring agentless assets under Zero Trust controls without purchasing and managing separate hardware through a separate management interface.
Fortinet’s vulnerability track record and what it means for trust
This section is not about scoring points. It is about a pattern that affects risk calculations.
Fortinet products have accumulated 24 entries on CISA’s Known Exploited Vulnerabilities catalogue since late 2021. Thirteen of those are confirmed used in ransomware campaigns. One-third of the total came from 2025 alone.
Key incidents in the 2024-2026 window include a FortiManager zero-day (CVSS 9.8) that enabled mass exploitation of at least 50 organisations, an authentication bypass in FortiOS exploited in LockBit ransomware campaigns, a September 2024 data breach where 440 GB of internal Fortinet data was exfiltrated, 15,000 FortiGate configurations leaked on the dark web in January 2025, a symlink persistence technique that maintained attacker access across roughly 14,000 devices globally even after patching, and a January 2026 FortiCloud SSO authentication bypass (CVSS 9.8) that forced Fortinet to temporarily disable FortiCloud SSO for approximately 10,000 exposed instances.
Every vendor has vulnerabilities. But the frequency and severity of Fortinet-specific incidents, combined with the pattern of public-facing management interfaces being targeted, is relevant context for any SASE evaluation. A SASE platform is your security control plane. The attack surface of that control plane matters.
Jimber’s cloud-native architecture avoids the pattern that creates Fortinet’s exposure. There are no public-facing VPN gateways for attackers to target, no on-premises management interfaces accumulating CVEs, and no firmware patching race against active exploitation. Applications are hidden behind the ZTNA layer. The management console is cloud-delivered with automatic updates. For organisations that watched the Fortinet vulnerability cycle accelerate through 2024, 2025, and into 2026, that architectural difference is not theoretical. It is operational peace of mind.
European data sovereignty: legal jurisdiction matters
Fortinet is headquartered in Sunnyvale, California. Under the US CLOUD Act, American authorities can compel Fortinet to produce data regardless of where it is physically stored. In summer 2025, executives from major US technology companies testified before the French Senate that they could not guarantee European citizen data would remain inaccessible to US government requests.
FortiSASE Sovereign, launched in 2025, partially addresses this by enabling customer-controlled PoPs using FortiGate hardware. But orchestration and management layers still flow through Fortinet’s infrastructure, and the corporate entity remains subject to US jurisdiction.
This matters for NIS2 compliance. The directive requires supply chain security assessments of ICT providers. Article 21 mandates that organisations evaluate the security practices of their technology suppliers, including jurisdictional risks. An organisation using a US-headquartered SASE vendor needs to document why that jurisdictional exposure is acceptable, and what mitigations are in place.
Jimber is headquartered in Belgium. Data processing stays within EU borders. There is no US parent company, no CLOUD Act jurisdictional conflict, and no FISA Section 702 exposure. For compliance teams preparing NIS2 documentation, GDPR assessments, or DORA supply chain evaluations, choosing Jimber eliminates an entire category of regulatory risk that any US-headquartered vendor introduces by default.
The SSL VPN migration trigger and what comes next
The removal of SSL VPN tunnel mode from FortiOS 7.6.3 was the catalyst, but the underlying question is bigger: do you want a protocol upgrade or an architecture upgrade?
Fortinet’s immediate recommendation is IPsec VPN, configurable on TCP port 443 to mimic SSL VPN’s port flexibility. IPsec is a mature protocol with strong encryption. But community feedback highlights real friction. IPsec lacks flexible user grouping without FSSO. Split tunnel parameters require VPN reconnection to change. UDP ports 500 and 4500 may be blocked in hotels, airports, and corporate guest networks. And the fundamental architecture remains the same: network-level access through a public-facing gateway.
FortiSASE ZTNA is the more strategic Fortinet path. It provides application-level access through an HTTPS reverse proxy on the FortiGate, with identity and posture verification via FortiClient EMS. The security model is sound. The operational model requires three components working in concert, separate licences, and weeks of configuration.
Jimber offers a cleaner path. WireGuard-based ZTNA with a stealth mode that wraps traffic inside HTTPS for restrictive network environments. Application-level access without network-level tunnels. No public-facing gateway for attackers to target. Deployment measured in days for pilot groups, weeks for broader rollout. Yes, you leave the Fortinet ecosystem. But if that ecosystem is what created the migration problem in the first place, a clean break is a feature, not a compromise.
Analyst recognition vs real-world results
FortiSASE earned Gartner Magic Quadrant Leader status for SASE Platforms in July 2025, joining Palo Alto Networks, Netskope, and Cato Networks. That recognition matters in enterprise procurement cycles where analyst reports drive vendor shortlists. Fortinet ranked first in the Secure Branch Network Modernisation use case.
But analyst rankings evaluate vendors across all customer segments. A platform that scores well for 10,000-seat global enterprises does not automatically fit a 200-user organisation in Belgium. In the SSE-only Magic Quadrant, Fortinet remains a Challenger, not a Leader. In the Forrester Wave for SASE (Q3 2025), Fortinet placed as a Strong Performer, below Leaders Netskope, Palo Alto, and Zscaler. Independent reviews note that CASB and DLP capabilities feel less integrated than core SWG and SD-WAN functions.
Jimber does not appear in analyst reports. For mid-market organisations, that absence matters less than you might think. What matters is whether the platform solves your specific problem. The wealth management case study on jimber.io documents a 58% reduction in total security costs after migrating from a fragmented security stack. That is a real European mid-market organisation with a real result, not an analyst score based on feature checklists that include capabilities most mid-market teams never activate.
Choose FortiSASE if… Choose Jimber if…
FortiSASE fits a narrow set of conditions: your organisation runs FortiGate infrastructure across 20+ sites with dedicated Fortinet-certified engineers, you have hard procurement requirements for CASB, DLP, and sandboxing from a single vendor, and you can absorb a 6-8 month implementation timeline with the associated professional services cost.
Jimber fits the reality most European mid-market teams actually live in. Your IT team has three to ten people who manage everything from desktop support to network security. You need transparent pricing you can present to your CFO without caveats about bandwidth overages. You run printers, IoT devices, PLCs, or industrial equipment that need inline isolation from the same console that manages your users. European data sovereignty is a compliance requirement, not a nice-to-have. Your service partner needs multi-tenant management that works without a week of configuration per customer. And deployment speed matters because your team cannot afford to spend six months on a platform migration while the rest of the business waits.
If you recognise yourself in that second list, Jimber was built for you. Not adapted for you from an enterprise product, but built from day one around the constraints and priorities of European mid-market organisations.
Ready to see it in practice? Book a demo and we will walk through how Jimber replaces your current FortiGate-based remote access, web security, and site connectivity in one console.
FAQ
Is FortiSASE a separate product from FortiGate?
Yes. FortiSASE is a cloud-delivered subscription service running FortiOS virtual machines in cloud PoPs. It does not require FortiGate hardware for basic Secure Internet Access. However, Secure Private Access to internal applications requires a FortiGate as an SPA hub with a separate licence.
Can I keep my FortiGate and use Jimber alongside it?
Yes. Jimber deploys incrementally and runs independently of FortiGate infrastructure. You can migrate user groups and applications at your own pace while maintaining FortiGate for specific on-premises needs. No forced cutover is required.
How does FortiSASE pricing compare to Jimber for a 200-user organisation?
FortiSASE Standard tier for 200 users starts at approximately £15,600 per year. Adding a second PoP region, bandwidth upgrades, FortiManager, and an SPA hub licence can push effective costs 50-80% higher. Jimber uses flat per-user pricing without bandwidth surcharges or separate management console fees.
What about FortiSASE Sovereign for EU data residency?
FortiSASE Sovereign allows customer-controlled PoPs using FortiGate hardware, addressing data processing location. However, Fortinet as a US-headquartered entity remains subject to the CLOUD Act. Jimber, as a Belgian company, operates under EU jurisdiction with no CLOUD Act exposure.
Does Jimber match FortiSASE on threat intelligence?
No. Fortinet’s FortiGuard Labs draws from a large customer base for threat intelligence across IPS, anti-malware, sandboxing, and DNS security. Jimber takes a different approach: browser isolation prevents threats from reaching the endpoint in the first place, and category-based web filtering blocks known malicious destinations. For most mid-market threat scenarios, preventing execution is more practical than detecting it after the fact.
How do both platforms handle agentless IoT and OT devices?
FortiSASE supports agentless access for TCP traffic only, using FortiAP or FortiExtender hardware managed through separate workflows. Jimber uses NIAC hardware for inline device isolation covering both TCP and UDP traffic, managed from the same console as all other SASE components.
