Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
chaithrar
Staff
Staff

Created on ‎08-07-2019 12:47 AM Edited on ‎04-16-2025 04:15 AM By Moderator

Article Id 194890

Technical Tip: Email Two-Factor Authentication on FortiGate

Description


This article describes the steps to configure Two Factor Authentication on FortiGate with token delivery to a user's email.

 

Scope

 

FortiGate.

Solution


There are two steps to complete this configuration:

 

  1. Configure the SMTP server.

 

config system email-server

    set reply-to {Sender_email_address} <----- No longer configurable - see Technical Tip: 'set reply-to' missing under the 'config system email-server'.

    set server {SMTP_server_FQDN/IP}

    set port {SMTP_server_port_number}

    set authenticate {enable | disable}

    set username {username}

    set password {password_string}

    set security {none | starttls | smtps}

end

 

  1. Create a user(s) with email two-factor enabled.

config user local
    edit {username}
        set type password
        set two-factor email
        set email-to {user_email_address}
        set passwd {password}
    next
end

config system admin
    edit "admin"
        set type password
        set two-factor email
        set email-to user_email_address
        set passwd password
    next
end

 

Note:

Email-based two-factor authentication can only be enabled via the CLI.

After enabling two-factor authentication and configuring where to send the 2FA emails via CLI, the Email-based two-factor authentication option will now show up via GUI. Take note that the Email 2FA option will be gone again once the administrator has changed the Two-factor authentication type back to either FortiToken or FortiToken Cloud. Email based two-factor authentication needs to be configured again via CLI.

 

email2FA.JPG

 

testuser.jpg

 

The two-factor authentication can also be applied to LDAP users:

Configuring Two-Factor Authentication for LDAP users 


Verification of Configuration:
Once the newly created user can access certain services (e.g. SSL VPN), the user will be prompted for username and password as usual during an access attempt.
If correct credentials are entered by the user, the user will be prompted to enter a token. This token will be delivered to the user’s mailbox. Once the user enters the received token, access will be granted.

Troubleshooting:

 

Debug commands can and should be combined to see the respective flow of authentication, handing over to the next process and seeing when a response is sent from the client. As timeouts may occur, adding a timestamp to each debug line will help to identify them:


diag debug reset
diag debug console timestamp enable
diag debug application fnbamd -1
diag debug application alertmail -1
diag debug enable

 

Use a sniffer command to identify if there are any issues with authentication of the client to email server.

 

diag sniffer packet any "host xx" 6 0 l     <----- Use the port number in place of xx which is listening in the mail server.

 

Related articles:

184608
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.