FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article describes how the FortiToken works in the FortiGate Active Passive HA cluster.
Scope
FortiGate.
Solution
FortiGate reaches the FortiGuard servers twice for mobile tokens: When activating the license (registering for a specific FortiGate), and while assigning the token to the user.
There can sometimes be issues with clusters under the following circumstances:
The license is activated while unit 1 is in charge (the token license will be registered with unit 1 S/N in the FortiCloud Portal).
If a Failover occurs, then unit 2 will take charge, and it will be as primary FortiGate.
While assigning the tokens to the users from Unit 2, there will be an issue.
This requires communication with FortiGuard again, but the FortiGate doing the communication (unit 2) is NOT the FortiGate the license is technically registered to (unit 1).
It is not required to move the tokens to the other serial number(unit2) for assigning the tokens to the users.
A simple failover should have been sufficient to assign the tokens to the users.
Any tokens already assigned to a user are completely unaffected by failover; either unit can verify a token code.
It is the license activation and assigning a token to a user that can be a bit problem if a cluster fails over for any reason.
As long as the same unit is in charge while the token license is registered and tokens are assigned, there should not be any issues.
