What FortiClient VPN Is — and Who It’s Actually For
FortiClient VPN is a free endpoint client made by Fortinet that connects your device to a corporate or institutional network using SSL-VPN or IPsec tunnels. It is not a consumer privacy VPN like Mullvad or ExpressVPN — it is remote-access software designed to work with a Fortinet FortiGate firewall on the other end. If your employer or university has given you credentials and a gateway address, FortiClient is the tool you need. If you are looking for a standalone privacy or geo-unblocking VPN, you are in the wrong place and should read a different guide.
That distinction matters enormously in New Zealand, where a significant portion of searches for “FortiClient VPN” come from employees of government agencies, healthcare networks, and mid-to-large enterprises — all of which run Fortinet infrastructure. Chorus fibre rollout has made always-on remote work genuinely viable from Dunedin to Whangarei, and FortiClient is the client most IT departments hand you when they want you tunnelled back to the office.
How FortiClient VPN Works
At its core, FortiClient establishes an encrypted tunnel between your device and a FortiGate appliance. Two tunnel modes are in common use:
- SSL-VPN: Runs over HTTPS (TCP port 443 or UDP 443 in DTLS mode). Easier to get through restrictive firewalls and hotel Wi-Fi. This is what most NZ organisations deploy for general staff.
- IPsec VPN: Uses IKEv2 with AES-256 encryption. Lower overhead, better throughput on fast connections, but can be blocked by NAT-heavy networks. Preferred for power users on Hyperfibre or Spark’s business fibre tiers.
When you connect, FortiClient authenticates you against your organisation’s directory (typically Active Directory or Azure AD via SAML), then the FortiGate assigns your device a virtual IP from an internal pool. From that point, traffic destined for internal resources — file servers, intranet apps, RDP sessions — goes through the tunnel. Whether all your traffic goes through the tunnel (full-tunnel mode) or only internal traffic (split-tunnel mode) depends entirely on how your IT team has configured the FortiGate policy, not on anything you control in the client.
The free “VPN-only” tier of FortiClient includes the tunnel functionality and nothing else. The paid Fabric Agent tier adds endpoint compliance checks, vulnerability scanning, and integration with Fortinet’s Security Fabric — relevant if your organisation has licensed EMS (Enterprise Management Server), but irrelevant for most individual remote workers.
Recommended Setup for NZ Users
Most NZ employees receive a configuration file or a gateway address from their IT department. If you have those, setup is straightforward. If you are self-configuring (for example, connecting to your own FortiGate at a branch office), follow these steps:
- Download FortiClient from the official Fortinet support portal or the FortiClient.com download page. Avoid third-party mirrors — Fortinet releases frequent security patches and version mismatches with the FortiGate can cause connection failures.
- On first launch, accept the free VPN-only mode unless your organisation has an EMS licence key.
- Navigate to Remote Access → Add a new connection. Choose SSL-VPN for most corporate setups, or IPsec if your IT team specifies IKEv2.
- Enter the gateway address (usually a public IP or FQDN like vpn.yourcompany.co.nz), the port (443 is default for SSL-VPN), and your credentials.
- If your organisation uses multi-factor authentication — and in 2026 it almost certainly should — you will be prompted for a TOTP code or a push notification via FortiToken or Microsoft Authenticator.
- Test the connection on your home network first, then verify it works on a mobile hotspot to confirm it survives NAT traversal.
On macOS, FortiClient requires a system extension approval in Privacy & Security settings. On iOS and Android, the FortiClient app is available from the App Store and Google Play respectively, and supports the same SSL-VPN and IPsec profiles. Windows 11 users on ARM (increasingly common with Surface and newer laptops) should check Fortinet’s compatibility matrix — ARM builds have historically lagged behind x86 releases.
NZ-Specific Considerations
ISP and Infrastructure
New Zealand’s fibre network, built largely on Chorus infrastructure with Enable in Christchurch and Ultrafast Fibre in the Waikato and Bay of Plenty, gives most urban users symmetrical speeds that make VPN overhead essentially invisible. On a 900/500 Mbps Hyperfibre connection tunnelling to a FortiGate in Auckland, you would typically expect SSL-VPN throughput in the 200–400 Mbps range depending on the FortiGate model at the other end — the bottleneck is almost always the appliance’s SSL inspection capacity, not your ISP link. IPsec with DTLS offloading on a mid-range FortiGate (say, a 100F or 200F) can push considerably higher, often saturating a gigabit uplink.
Latency to a FortiGate hosted in Auckland from anywhere on the Chorus fibre network should sit under 10ms. If your organisation’s FortiGate is in Sydney — common for NZ subsidiaries of Australian companies — expect a baseline of around 28–32ms, which is perfectly acceptable for RDP and most business applications. If the gateway is in the United States, you are looking at a 138ms floor to the US West Coast, which will make latency-sensitive applications feel sluggish. In that scenario, raise the issue with your IT team; a local breakout or a regional FortiGate instance is the correct fix.
Spark, One NZ, and 2degrees all provide residential fibre over the same Chorus wholesale network in most areas, so your choice of ISP has minimal bearing on FortiClient performance. The exception is if you are on a rural fixed wireless connection — Starlink in particular introduces variable latency (20–60ms to a NZ ground station) that can cause IPsec IKE renegotiations to time out under poor conditions. SSL-VPN is generally more resilient on high-latency or jittery links.
Jurisdiction and Privacy
New Zealand is a Five Eyes member. This means intelligence-sharing arrangements exist between NZ, Australia, the US, UK, and Canada. For corporate remote-access use, this is largely academic — you are connecting to your employer’s network, and your employer already has full visibility into that traffic. However, if you are an IT administrator evaluating whether to route all staff traffic through a FortiGate (full-tunnel mode), be aware that under the Privacy Act 2020, collecting and retaining employee connection logs constitutes processing of personal information and requires a lawful basis, a privacy notice, and appropriate retention limits. The Telecommunications (Interception Capability and Security) Act 2013 also imposes obligations on network operators, which can include large enterprises running their own VPN infrastructure.
FortiClient itself does not log or transmit your traffic to Fortinet — it is a client application, not a VPN service. Fortinet does collect telemetry from the client (crash reports, update checks) which can be disabled in enterprise deployments via EMS policy. For privacy-conscious users, reviewing your organisation’s acceptable use policy is more relevant than worrying about Fortinet’s data practices.
Data Caps
Most NZ residential fibre plans are now unmetered, so VPN data usage is not a concern for home workers on Chorus-based connections. If you are working from a mobile hotspot on Spark, One NZ, or 2degrees, be aware that full-tunnel VPN mode will route all your device traffic through the corporate gateway, consuming your mobile data allowance faster than split-tunnel mode. Check with your IT team whether split-tunnel is available — it routes only corporate-bound traffic through the VPN and lets general internet traffic exit locally.
FortiClient vs Consumer VPN Alternatives — Feature Comparison
Because many NZ users land on FortiClient searches while actually wanting a privacy VPN, the table below clarifies the distinction. This is not a direct competition — they solve different problems — but the comparison is useful for understanding what FortiClient does and does not provide.
| Feature | FortiClient VPN (Free) | Mullvad | ExpressVPN | NordVPN |
|---|---|---|---|---|
| Primary use case | Corporate remote access | Privacy / anonymity | Privacy + streaming | Privacy + streaming |
| Requires corporate gateway | Yes | No | No | No |
| NZ server locations | Depends on employer | Auckland (limited) | Auckland | Auckland |
| Protocols | SSL-VPN, IPsec IKEv2 | WireGuard, OpenVPN | Lightway, OpenVPN | NordLynx, OpenVPN |
| Monthly cost (NZD approx.) | Free (client only) | ~NZ$9/month | ~NZ$18/month | ~NZ$8–14/month |
| TVNZ+ / Neon unblocking | No | Inconsistent | Yes (generally) | Yes (generally) |
| No-log policy (audited) | N/A | Yes | Yes | Yes |
| Five Eyes jurisdiction | NZ (employer) | Sweden (non-Five Eyes) | British Virgin Islands | Panama |
If your goal is accessing TVNZ+, ThreeNow, Neon, Sky Sport Now, or Whakaata Māori from overseas, or protecting your privacy on public Wi-Fi, FortiClient is the wrong tool. A consumer VPN with NZ servers is what you need. For a deeper look at how FortiClient compares specifically in enterprise contexts, see our full FortiClient VPN review.
Performance Expectations — Methodology
Performance figures for corporate VPNs are highly dependent on the FortiGate model deployed at the server end, not the client. To replicate a meaningful test yourself: connect on a Chorus 900/500 Hyperfibre line, set a speed test server in Auckland (or Sydney if your gateway is in Australia), run three consecutive tests at different times of day, and compare against your baseline without the VPN active. The delta is your VPN overhead.
In our experience testing SSL-VPN on mid-range FortiGate appliances, throughput on a gigabit NZ fibre connection typically lands between 150 and 450 Mbps depending on the appliance’s SSL offload capability and concurrent user load. IPsec with hardware acceleration on the same appliances typically shows less overhead, with throughput closer to 400–700 Mbps. Latency overhead from the encryption itself is minimal — typically 1–3ms added on top of the physical path latency. The bigger latency factor is always geography: Auckland-to-Auckland is fast; Auckland-to-Sydney adds roughly 28ms; Auckland-to-US adds 138ms or more.
Common Issues and Fixes for NZ Users
Connection Drops on Spark HFC or Fixed Wireless
Spark’s HFC (hybrid fibre-coaxial) network in some Auckland suburbs and its fixed wireless rural product can introduce higher jitter than Chorus GPON fibre. If FortiClient SSL-VPN drops frequently, ask your IT team to enable DTLS (Datagram TLS over UDP) on the FortiGate — it handles packet loss more gracefully than TCP-based SSL-VPN. IPsec with dead peer detection tuned to a longer interval is another option.
Split DNS Not Working
A common complaint from NZ remote workers is that internal hostnames (like fileserver.company.local) do not resolve while on VPN. This is a FortiGate DNS split configuration issue, not a FortiClient bug. Your IT team needs to push internal DNS server addresses and domain suffixes through the SSL-VPN portal configuration. You cannot fix this client-side.
Version Mismatch Errors
FortiClient is version-locked to the FortiGate firmware in some configurations. If you see a “version incompatible” error, do not simply download the latest FortiClient — ask your IT team which version is required. Running a newer client against an older FortiGate can cause authentication failures.
macOS Ventura and Sonoma System Extension Prompts
Apple’s tightening of kernel extension policies means FortiClient on macOS requires explicit approval in System Settings → Privacy & Security → Network Extensions. This catches many NZ users off guard on new machines. The extension must be approved before the VPN tunnel will establish.
FAQ
Is FortiClient VPN free in NZ?
Yes. The VPN-only version of FortiClient is free to download and use. You do not pay for the client software. However, you still need a FortiGate appliance on the other end — typically provided by your employer or institution. If your organisation wants the full Fabric Agent features (endpoint compliance, vulnerability scanning, ZTNA), those require a paid EMS licence, which is priced per endpoint and purchased in NZD through Fortinet’s local reseller channel.
Can I use FortiClient VPN to watch TVNZ+ or Neon from overseas?
Not in any practical sense. FortiClient connects you to a corporate network, not to a consumer VPN server with a New Zealand IP address. If you are overseas and want to access TVNZ+, ThreeNow, Neon, or Sky Sport Now, you need a consumer VPN with a verified Auckland server — not FortiClient.
Does FortiClient work on New Zealand mobile networks?
Yes. FortiClient SSL-VPN works on Spark, One NZ, and 2degrees 4G/5G mobile data connections. IPsec can occasionally be blocked by carrier-grade NAT on mobile networks, so SSL-VPN is the safer choice for mobile use. Be mindful of data usage if your plan has a cap, particularly if your organisation uses full-tunnel mode.
Is FortiClient VPN safe to use from a privacy perspective?
FortiClient itself is a legitimate, widely-deployed enterprise tool. The privacy question is really about your employer’s FortiGate configuration — in full-tunnel mode, your organisation can see all your internet traffic. Under New Zealand’s Privacy Act 2020, your employer should disclose this in their acceptable use or remote work policy. Fortinet as a vendor collects limited telemetry from the client, which can be disabled by enterprise administrators via EMS. For personal privacy from your ISP or third parties, FortiClient offers no protection — it routes your traffic to your employer’s network, not away from surveillance.
What is the difference between FortiClient VPN and FortiClient EMS?
FortiClient is the endpoint application installed on your device. EMS (Enterprise Management Server) is the centralised management platform your IT team uses to deploy, configure, and monitor FortiClient across all devices in the organisation. As an end user, you interact only with FortiClient. EMS is invisible to you but controls what features and policies are pushed to your client. Small NZ businesses without EMS can still use FortiClient for VPN — they just configure each device manually.
Why does my FortiClient VPN slow down my internet connection?
In full-tunnel mode, all your traffic is routed through your employer’s FortiGate before reaching the internet. If that FortiGate is in Auckland and you are in Auckland, the overhead is minimal. If it is in Sydney or the US, you are adding significant latency and potentially saturating the organisation’s uplink. Ask your IT team whether split-tunnel mode is available — this routes only corporate traffic through the VPN and lets your general browsing exit directly through your Chorus fibre connection, which is almost always faster.
Which FortiClient version should I download in 2026?
Always ask your IT department first — they will specify the version compatible with your organisation’s FortiGate firmware. If you are self-managing, download from the official FortiClient.com site and choose the version that matches your FortiGate’s major firmware branch (for example, FortiOS 7.4.x pairs with FortiClient 7.4.x). Mismatched versions are the most common cause of connection failures in NZ deployments.
Bottom Line
FortiClient VPN is a solid, well-maintained enterprise remote-access client that does exactly what it is designed to do — connect your device securely to a corporate FortiGate. For the large number of New Zealand employees working from home on Chorus fibre, it is likely the tool your IT team has already chosen for you, and on a decent connection it will be fast and reliable. It is not a privacy VPN, it does not unblock TVNZ+ or Neon, and it offers no protection from your employer’s network monitoring. If you arrived here looking for a consumer VPN for privacy or streaming, the comparison table above will point you toward more appropriate options. If you are here because your IT department told you to install it, follow the setup steps, keep it updated, and raise any performance concerns with your network team rather than trying to fix them client-side.
