Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
chaithrar
Staff
Staff

Created on ‎08-07-2019 12:47 AM Edited on ‎10-03-2024 10:24 PM By Community Manager

Article Id 194890

Technical Tip: Email Two-Factor Authentication on FortiGate

Description


This article describes the steps to configure Two Factor Authentication on FortiGate with token delivery to user’s email.

Related document:
system email-server

 

Scope

 

FortiGate.

Solution


There are two steps to complete this configuration:

 

  1. Configure the SMTP server.

 

config system email-server

set reply-to {Sender_email_address}

set server {SMTP_server_FQDN/IP}

set port {SMTP_server_port_number}

set authenticate {enable | disable}

set username {username}

set password {password_string}

set security {none | starttls | smtps}

end

 

  1. Create a user(s) with email two-factor enabled.

config user local
    edit {username}
       set type password
       set two-factor email
       set email-to {user_email_address}
       set passwd {password}
    next
end

config system admin
    edit "admin"
       set type password
       set two-factor email
       set email-to user_email_address
       set passwd password
    next
end

 

Note:

Email based two-factor authentication can only be enabled via the CLI.

After enabling two-factor authentication and configuring where to send the 2FA emails via CLI, the Email-based two-factor authentication option will now show up via GUI. Take note that the Email 2FA option will be gone again once the administrator has changed the Two-factor authentication type back to either FortiToken or FortiToken Cloud. Email based two-factor authentication needs to be configured again via CLI.

 

email2FA.JPG

 

testuser.jpg

 

The two-factor authentication can also be applied to LDAP users:

Configuring Two-Factor Authentication for LDAP users 


Verification of Configuration:
Once the newly created user can access certain service (e.g. SSL-VPN), the user will be prompted for username and password as usual during access attempt.
If correct credentials are entered by the user, the user will be prompted to enter a token. This token will be delivered to the user’s mailbox. Once the user enters the received token, access will be granted.

Troubleshooting:

 

Debug commands can and should be combined to see the respective flow of authentication, handing over to the next process and seeing when a response is sent from the client. As timeouts may occur, adding a timestamp to each debug line will help to identify them:


diag debug reset
diag debug console timestamp enable
diag debug application fnbamd -1
diag debug application alertmail -1
diag debug enable

 

Related articles:

Correctly configuring Two-Factor Authentication for LDAP users using SSL VPN 

Add Two-Factor Authentication for FortiGate Administrators using FortiToken 

173956
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.