FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nsubramanian
Staff
Staff
Article Id 191695

Description

 

This article describes how to enable 2-Factor Authentication for Admin Users through Method 2: FortiToken

Avaialble 2FA methods:

  1. SMS-Token must have a valid credit purchased separately SMS Rate Card and checked using this guide.
  2. FortiToken Hard Token or Mobile Token (two free available for each standalone unit or cluster).
  3. Email-Token 

 

Usage Awareness:

  1. When enabling 2FA, Admin Users will no longer be able to access the device if the OTP code is not received, FortiToken is lost or Mobile Phone with FortiToken App is reset.
  2. Fortinet is unable to access the device under any circumstance or recover lost code regardless of the 2FA method used, a unit HardReset is required to obtain access make sure to backup device config frequently in a safe location.
  3. Using an authenticated email account for notification purposes is recommended for Email-Token to guarantee delivery. See Technical Tip: How to configure the alert-mail settings with Microsoft office365
  4. FortiGate uses the internet to send emails and provision FortiToken and send Email-Token.
  5. Always use individual FortiGate admin accounts for each user with elevated privileges for the possibility to undo configurations regardless of the 2FA method used.
  6. Create privileged users accessible through a secure network without a token using 'Restrict logins from trusted hosts' as a fail-safe. 
  7. There is a three-day period for an administrator to activate the FortiToken to the administrator account. As insurance, a temporary administrator account with super-admin privileges can be created until successful activation of the FortiToken has been achieved, and access to it has been tested.
  8.  Even after getting the token, authentication still fails because of NTP sync, Make sure NTP is in sync, before assigning the Token to the admin.

 

Scope

 

FortiGate.

 

Solution

 

For v5.2 and Earlier firmware versions :
Go to Global -> Admin -> Administrators -> Edit any available Admin user -> Under contact info update Email Address -> Enable 'Two-Factor Authentication' -> Select Token from Drop down box -> Select Apply to save the changes.
 
Once done, it should get the Activation code in the updated Email Address. Proceed to Activate in mobile.
 
For v5.4 and Later firmware versions :
Go to System -> Administrators -> Edit any available Admin user -> Update Email Address -> Enable 'Two-Factor Authentication' -> Select Token from the drop-down box -> Select Apply to save changes.
 
Once done, it should show the Activation code in the updated Email Address. Proceed to Activate in mobile.
 
In 7.4.1 go to System -> Administrators.
 
adminnssad.PNG

 

CLI:
 
config system admin
    edit "xxxx"                        <----- Desired Admin Name.
        set two-factor fortitoken     <-----
        set email-to ''xyx@xyz.com"   <-----
        set fortitoken id             <----- Instead of 'id' type the Serial Number of the Token.
    next
end