Troubleshooting Tip: Disable push for the entire FortiAuthenticator, block push.fortinet.com on the firewall

dbu · ‎08-04-2023

Description

This article describes how to disable token push notifications in Fortiauthenticator and how to block these push notifications' connection on FortiGate.

Scope

FortiAuthenticator and FortiGate.

Solution

FortiAuthenticator:

Push notifications can be disabled on the RADIUS policy in FortiAuthenticator under the Authentication factors -> Advanced options -> Allow FortiToken Mobile push notifications. Note that this only affects regular RADIUS users. Administrative authentication will still support push notifications.

FortiGate:

The push notification is a connection between FortiAuthenticator to a proxy server 'push.fortinet.com'.

If it is wanted to disable the connection to the proxy server then create an address object in FortiGate for 'push.fortinet.com' and a policy that is set to block traffic to that address object.

An alternative way:

The push notifications can be completely disabled by adding an A-record to the DNS server that FortiAuthenticator uses. Set the IP address of that A-record to 0.0.0.0. In that way, FortiAuthenticator will not even be able to start the TCP handshake through the firewall.

Troubleshooting Tip: Disable push for the entire FortiAuthenticator, block push.fortinet.com on the firewall

You are leaving our website