Skip to main content
jmoya
Staff
jmoya
Staff
October 8, 2014

Technical Tip: How to assign FortiToken Mobile to users on FortiGate and FortiAuthenticator

  • October 8, 2014
  • 0 replies
  • 30116 views

Description

 

This article describes how to activate the FortiToken Trial serial numbers included in each FortiGate unit.
 

FortiGate is shipped with two free FortiTokens Mobile per unit with unique serial numbers. This works very similar to the bought licenses with the EFTMxxx numbers, it will have a real activation code.


Scope

 

  • FortiOS.
  • Import FortiToken.
  • Activate FortiToken mobile.
  • FortiToken Replacement.


Solution

 

To activate FortiToken Mobile on Android/iPhone/iPad devices, complete the following steps:
 
  1. Go to User & Authentication -> FortiTokens. If free FortiToken is not listed, it can be imported by selecting 'Import Free Trial Tokens':

matanaskovic_0-1664194967015.png

 

If there is an activation code, then on GUI, create a new Hard Token or Mobile Token:

 

 

  1. Locate the 20-digit code on the redemption certificate for the license: EFTMXXXXXXXX.

 

 

  • Go to User & Device -> FortiTokens and select 'Create New'.
  • Select 'Mobile Token’ and enter the 20-digit certificate code in the Activation Code box.
  • Select 'OK'.

 

matanaskovic_2-1664195160663.png

 

matanaskovic_3-1664195258945.png

 

The same steps can be followed on FortiAuthenticator 'Importing Trial Tokens' or adding a license file for FortiToken Mobile or Hardware token.

 

 

  1. Go to Authentication -> User Management -> FortiTokens -> Create New, select FortiToken Mobile, enable Get FortiToken Mobile free trial tokens or use the Activation code  0000-0000-0000-0000-0000.

 

 

Importing trial tokens in FortiAuthenticatorImporting trial tokens in FortiAuthenticator

 

In order to import trial tokens on FortiAuthenticator it is necessary to have internet reachability to connect with FortiGuard servers.

 

From CLI on FortiGate:

 

   execute fortitoken-mobile import 0000-0000-0000-0000-0000
 

  • Assign and provision tokens to each user who needs to use two-factor authentication.
  • Verify that FortiGate has a messaging service enabled. For FortiToken it is required to have at least one SMTP or SMS server gateway.
  • Go to System -> Settings.
  • Configure an SMTP server.

 

matanaskovic_4-1664195457192.png

 

From CLI:

 

config system email-server

    set server "notification.fortinet.net"

    set port 465

    set security smtps

end

 

Enable authentication if it is required by the server to send email messages.

If a security mode is selected, make sure the TLS tunnel can come up by importing the custom mail server's CA to the FortiGate's CA store.

 

Configure an SMS server for sending SMS messages to support user authentication.

 

config system sms-server

    edit <name>

        set mail-server {string}

    next

end

 

 

  1. Add a user using the wizard, or edit an existing one.

 

  • If a new one is added, the email address associated with this user or a phone number, if an SMS server is configured, needs to be added.
  • The 'Two-factor Authentication' checkbox must be enabled.
  • Select the FortiToken mobile serial to assign to the user.
  • If editing the FortiToken of an existing user, use the 'Send Activation Code' button next to the token field.

 

matanaskovic_5-1664195615952.png

 

 

  1. If the SMTP or SMS server is configured correctly, the user will receive an activation code made of 16 alphanumeric digits.

  2. On the end-user side (Mobile):
    1. Open the FortiToken Mobile app on the smartphone.
    2. Select + to add a new token, and the following screen will appear to either 'Scan Barcode' or 'Enter Manually' (Both items of information are part of the activation email sent to the user).

 

 
 

ndumaj_5-1659103045938.png

 

  1. Open the email of the user (the one in the code was sent out).
  • Open the attached graphic in the email with the QR code and point the mobile device camera at the QR code. The QR code is only included in the email activation mode; it will not be available in SMS.
  • Or choose Select 'Enter Manually' select as a Fortinet account, and enter the 16-character activation code contained in the email or SMS.

 

  1. After adding the token, its name can be edited.

 

Token rename.png

 

Token rename-1.png

 

Troubleshooting notes:

If the token selection is empty on the user profile:

 

problem.jpg

 

Solution :

  • Make sure the tokens are available.
  • Make sure the FortiGate system email settings are in place. 

 

FortiGates in FIPS-CC mode may have issues when activating FortiToken Mobile licenses while using the Anycast FortiGuard servers. Check for the following error in the FortiToken process debugs, and if present, then disable FortiGuard Anycast and retry FortiToken Mobile activation (see Technical Tip: FortiGuard is not reachable via Anycast default method).

 

diagnose debug console timestamp enable

diagnose fortitoken debug enable

diagnose debug enable

 

2025-09-02 12:09:41 ftm_cfg_import_license[353]:import license XXXXXXXXXXXXXX

2025-09-02 12:09:41 ftm_fc_comm_connect[49]:ftm TCPS conn failed: ssl_connect() failed: 5 (Success)

2025-09-02 12:09:41 ftm_fc_command[588]:forticare [globalftm.fortinet.net:443] unreachable

Terms & ConditionsAccessibility statement