Skip to main content
Alpha7
Alpha7
New Member
February 16, 2018
Question

Fortitoken management from Fortimanager

  • February 16, 2018
  • 1 reply
  • 6772 views

Hi

One of my customer manage 4 pairs of Fortigate firewalls from Fortimanager. They like to introduce Fortitoken for their remote vpn users. Each pairs will have same VPN users. For easy management, customer is willing to push the users from Fortimanager and having same policy package for all 4 pairs. Administrator can create a user at Fortimanager and push that to all 4 pairs.

 

Question 1: If a user is created on Fortimanager and a Fortitoken is assigned to that user from Fortimanager, I am seeing an error while installing policy package to firewalls since Fortitoken bound to that user can be used on one pair only. is that correct behavior?

 

Question 2: If i create a user without Fortitoken assignment at Fortimanager and push the user to all 4 pairs then assign fortitoken directly from Fortigate, will it trigger a conflict on Fortimanager database since the same user with four different tokens from 4 fortigate pairs going to sync with Fortimanager database?

 

Thanks 

    1 reply

    ergotherego
    ergotherego
    New Member
    March 6, 2018

    What you are seeing is expected. When using tokens installed directly on FortiGates, they are locally significant.

     

    Your customer would need to:

     

    1) Use FortiClient EMS with remote user accounts. That way a single user can have a single token associated with them, and use that token across any number of FortiGates.

    2) Use differently named user accounts, each with their own token (one for each firewall). And use unique policy packages on each firewall, referencing the unique user/groups accordingly.

    3) Not use FortiManager to manage those FortiGate firewalls.

    Alpha7
    Alpha7Author
    New Member
    March 6, 2018

    Hi 

    Thanks for the reply. I thought EMS is for Forticlient management. I couldn't find user/fortitoken settings from EMS. we have decided to go for FortiAuthenticator for user management and Fortimanager to manage the firewalls.So, Fortigates will not hold any users. Single user with a token at FAC can be used by all firewalls for admin and VPN login

     

    Thanks

    ergotherego
    ergotherego
    New Member
    March 6, 2018

    Typo on my part. I did mean FortiAuthenticator for remote token management.

    Terms & ConditionsCookie settingsAccessibility statement