Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
jhussain_FTNT
Staff
Staff

Created on ‎04-23-2025 06:19 AM Edited on ‎01-09-2026 12:13 AM By Community Manager

Article Id 388682

Technical Tip: How to activate FortiToken Mobile in an Air Gap network

Description

This article describes how to activate FortiToken Mobile in an Air Gap network.
Scope FortiAuthenticator v6.6.1 and later.
Solution

From FortiAuthenticator v6.6.1 onward, FortiAuthenticator allows provisioning mobile tokens to users while the FortiAuthenticator or FortiToken Mobile application is not connected to the FortiToken Mobile servers.

 

FortiToken Mobile must still be registered to the FortiAuthenticator while the device has a one-time online connection to FortiGuard, as shown in the document Registering and provisioning FortiToken Mobile tokens. An air-gapped FortiAuthenticator is not able to register FortiToken Mobile and download the FortiToken serial numbers.

 

After this is done, the FortiAuthenticator may be cut off from internet access, and offline FortiToken Mobile provisioning is configured.

 

Offline Provisioning:

See the document FortiToken Mobile: Offline token activation.

 

FortiToken Mobile can be assigned by changing the Provision mode to Offline:

 

Provision ModeProvision Mode

 

Once the FortiToken Mobile is assigned to a user, the following activation page will be presented in the FortiAuthenticator GUI:

 

FTM Offline ActivationFTM Offline Activation

 

Limitation:

When the FortiToken Mobile provision mode is Offline, FortiAuthenticator generates the seed when provisioning the token. The QR Code and Activation Code each contain the dynamically generated seed, among other information. If copied, this code should be deleted after use or stored in a protected location and should not be sent to users using e-mail or SMS. If the token code is compromised, the token should be reprovisioned.

 

This limitation only applies to offline FortiToken Mobile provisioning, not to the default online provisioning method leveraging FortiToken Mobile servers.

 

Hardware FortiToken in Air Gap networks:

If it is not permitted for FortiAuthenticator to access the internet, even for one-time FortiToken Mobile registration, only Hardware FortiToken import is supported.

To get the seed File for Hardware FortiToken, follow the process outlined in Technical Tip: Process for requesting token seed files for hardware FortiTokens.

 

To upload the Seed file to FortiAuthenticator, go to User Management -> FortiTokens -> Import FortiTokens -> Select Seed file and upload and save.

 

image.png

 

Related article:

Technical Tip: Understanding the FortiToken provisioning process
664
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.