Skip to main content
Seferian1
Seferian1
New Member
November 30, 2021
Question

FortiToken push not working from wifi behind fortigate

  • November 30, 2021
  • 2 replies
  • 3498 views

Hai all, 

 

I'm running into a small issue regarding FortiToken ftm push. It's working like a charm for the remote workers that login from home. However when they are behind one of our department FortiGates the push does not work. It gives a message "Blocked, too many attempts. Please try again after a few minutes." 

Putting the mobile phone on 4g/5g the push works again. So it seems to be an issue with routing. 

 

The department FG has a IPSEC tunnel towards the main FG (the one having FTM enabled) 

 

Does anyone have experience with this issue? Or a solution for my problem? 

 

 

    2 replies

    Markus_M
    Staff & Editor
    Markus_M
    Staff & Editor
    November 30, 2021

    Hi Seferian1,

     

    the section

    config system ftm-push

    contains the server address, which is your FortiGate.

    This address is the address that an "Approve" or "Deny" will be sent to when you press this on the phone.

     

    Remember, this is a 2FA so the push is a request answer a second factor. This answer must be sent to the same node that sent the request.

     

    more details here:

    https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiToken-mobile-push-notification/ta-p/195578

     

    This is certainly a routing issue, saying that your client cannot contact your main FortiGates public IP from the internal network behind the tunnel.

     

    Best regards,

     

    Markus

      Seferian1
      Seferian1Author
      New Member
      November 30, 2021

      Hai Markus,

       

      Thanks for your reply. I've read the article however this does not provide me with the solution to the problem. 

      In the past I've had somewhat of a simuliar issue regarding logfiles being send to the FortiAnalyzer. The solution here was to set the interface that is being used to send the logs over. I'm hoping there is a simulair setting when it comes to sending the FTM awnser to the main FortiGate. 

       

      Regards, Sef

      xsilver_FTNT
      Staff
      xsilver_FTNT
      Staff
      November 30, 2021

      Hi,

       

      config system ftm-push .. defines where is the FGT going to listen. If it is behind another firewall/NAT, then this address has to be 'outer' address to which clients can connect. Simply because this address is propagated inside notification sent to mobile device as target for the response.

       

      Second important part is 'allowaccess ftm' set on port where you do expect to receive responses. Simply because that triggers 'listener' for those PUSH responses and without it FGT will simply discard that traffic.

       

      If you had those two simple things set up properly + some sane routing for outgoing messages, then it should work OK.

       

      Terms & ConditionsCookie settingsAccessibility statement