Technical Tip: Enabling 2FA on FortiGate administrator using FortiManager

jera · ‎09-06-2024

Description

This article describes how to enable 2FA authentication for FortiGate administrators from FortiManager.

Scope

FortiGate and FortiManager 7.4.3.

Solution

Navigate to Device Manager -> Device & Groups.
Select the name of the FortiGate from the list of Managed FortiGate on which 2FA will be enabled. Then go to System -> Administrators.

The list of configured administrators will appear. Select the administrator account to edit.
Under Security -> Two Factor Authentication there are different settings to choose from:

Email.	One time code is sent to the user's configured email address.
SMS.	One time code is sent to the user's configured phone number.
FortiToken Mobile.	A mobile application is required to be installed on the user's iOS or Android to generate a one-time code. Tokens are imported and registered manually using a redemption code. Here is the guide to register. By default, all FortiGates include 2 Free Trial Tokens that can be assigned to 2 different users.
FortiToken Cloud.	This is a cloud-managed authentication service. Tokens can be managed through https://ftc.fortinet.com/app/

This article uses the FortiToken Mobile. From the FortiToken field, choose the token to be assigned from the drop-down list.
Supply the user's email address in the contact info field to receive the activation code.

Install/push the configuration change on FortiGate.
1. Select the Install Wizard -> Choose What to Install -> Install Device Settings (only).
2. Select Next -> Make sure that the correct FortiGate is selected -> Select Next.
3. To view the configuration to push, select Install Preview.

The FortiManager should only be pushing the system admin configuration.

Select Install and wait until the configuration is installed successfully. Then select Finish.