Skip to main content
shaheryar_akhter
shaheryar_akhter
New Member
October 3, 2019
Question

FortiGate does not send Two-Factor activation code

  • October 3, 2019
  • 3 replies
  • 54534 views

Hi,

 

Our Foritgate appliance is configured to send email alerts, which are being received for all the desired events. However, when using FortiToken, we do not get our activation code via email. While the firewall shows that the email has been sent successfully. 

 

Is there a way to track outgoing email from our FortiGate appliance? 

 

Version: 6.0

    3 replies

    Alivo__FTNT
    Staff
    Alivo__FTNT
    Staff
    October 7, 2019

    Hi, for debugging you can use following: diag debug reset

    diag debug enable

    diag debug console timestamp enable

    diag debug application alertmail -1

     

    send the activation mail, then disable debug by:

     

    diag debug disable

    diag debug reset

     

    Best Regards,

    Alivo

      davepartridge
      davepartridge
      New Member
      July 22, 2021

      Useful command line info but where do you find the debug information? I have the same issue when trying to send either email or SMS for a 2FA verification code.

      abeauchamp
      abeauchamp
      New Member
      October 7, 2021

      davepartridge wrote:

      Useful command line info but where do you find the debug information? I have the same issue when trying to send either email or SMS for a 2FA verification code.

      Leave the CLI open.  The output displays to the console.  (Just minimize it while you send the test/activation email or connect with a 3rd party SSH client like Putty so you can do both and not lose your console output).

      SJFriedl
      SJFriedl
      New Member
      March 18, 2022

      Late to this game, but I ran into this tonight.

      When Fortinet sends the email with the activation code, it sends it from the user who is also the recipient, and there are plenty of email systems - including mine and that of my customer - who reject emails *from* a user who is part of the receiving domain but not properly authenticated to that domain.

       

      Figured this out tonight with an outstanding Fortinet tech (hi Jai!) while watching my mailserver logs, and this is clearly a bug that is unaware of anti-spam countermeasures in the last 10 years.

       

      I'm about to open a defect ticket.

        AbeyMarquez
        AbeyMarquez
        Visitor III
        May 11, 2022

        @SJFriedl You are absolutely right! I just checked my email headers and it is indeed sending it from FortiGuard servers as myself! This is unbelieveable! Anyone with SPF set up correctly will fail this email. It goes to show how inept the ones who wrote this routine were when they wrote it about email security and that nobody has cared enough to fix it, like you well put "in the last 10 years" or more.

         

        I'm gonna follow suit and open a ticket as well.

         

        EDIT: Wait, it seems to be more complicated that it first appeared. The activation code email actually originated from the firewall, not from the FortiGuard servers. So technically, it is originating from inside your network and SPF should be ok. However, at some point, the notifications.fortinet.net server takes over the message as if it has sent it itself and the next hop does indeed complain about an SPF error.

        fstinfra
        fstinfra
        Explorer
        May 11, 2022

        Hello Everyone, I'm having recently the same problem on our fortigate appliances, for this example I'm using a 100E and a 40F.

         

        While using the fortigate default mail servers, I always got an error 500 that is similar to what SJFriedl explained above, and if I use any external mail service the messages are never sent.

         

        What I have tried so far, on both:

        - Using the default fortigate mail service, removing and re-adding the token to the user, sending throughout the token add process or right-clicking on the user to resend it

        - Using a different email service, all validated locally with swaks to send mail using using all tree security methods, none(25), smtps(465), and starttls(25), also with authentication when available

        - create a firewall rule from all gateway IPs (the appliance address on each interface) to have full access to the mail server on any port (but don't know if its needed, couldn't find any infos that an specific rule would be needed to allow the firewall itself to send emails

        - using a public email server instead of our main one to validate if it was a local problem, works fine with all simulations using swaks but same results on the firewall.

         

        For now its a big blocker here, since we use the 2fa for quite some time and only noticed when someone from our team changed his phone and needed to be sent the token infos again, and was not possible. Also the 40F is a brand new box with the latest firmware, that will validate if we have any issues on our other box that is not on the latest version.

         

        Is there any way to fix this, or even get the tokens manually from the firewall to setup the 2fa for the users?

         

        pminarik
        Staff
        pminarik
        Staff
        May 12, 2022

        The activation code is visible in System Event log, and also in the CLI: show user local <username>. The user can manually enter the activation code in their FortiToken mobile app to activate the token. (note that activation codes are by default valid for three days only)

         

        As for troubleshooting the issue itself: You have clearly done plenty of testing already, and I doubt that forum chatter would be of much help to you. I would recommend opening a support case with the TAC to help you troubleshoot the issue more directly.

        Terms & ConditionsAccessibility statement