Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
oconnort
Staff
Staff

Created on ‎05-10-2020 06:41 AM Edited on ‎12-05-2025 09:42 AM By Moderator

Article Id 195578

Technical Tip: FortiToken Mobile push notification

Description

 

This article describes how to configure FortiToken mobile push notifications.

 

Scope

 

FortiGate.

 

Solution

 

FortiGates with associated mobile FortiTokens can be configured to send push notifications: Instead of requiring users to submit the token code manually, it can simply confirm the login attempt on the same mobile their token is registered on.

 

Apple (APNS) and Google (GCM/FCM) provide the push service for iPhone and Android, respectively. This helps to avoid locking Tokens after disabling an already enabled two-factor authentication user.

 

FortiToken Mobile Push notifications can be configured via CLI only. If in multi-VDOM mode, ftm-push is configured in global VDOM.

 

FortiToken Mobile Push includes the following configurations depending on the version of FortiGate :

 

get system ftm-push 

proxy : enable
interface :

server-port         : 4433

server-cert         : Fortinet_Factory

server-ip           : 0.0.0.0

server              :

status              : disable

 

  • proxy: Enable/disable communication to the proxy server in FortiGuard configuration.
  • interface: (available v7.4.8 onwards). FortiGate interface hosting ftm push service. Used to auto-generate server IPv4 address.
  • server-port: Port to communicate with FortiToken Mobile push services server (1 - 65535, default = 4433).
  • server-cert: Name of the server certificate to be used for SSL (default = Fortinet_Factory).
  • server-ip: (replaced with 'server' setting in v6.4.10 onwards) IPv4 address of FortiToken Mobile push services server.
  • server: IPv4 address or domain name of FortiToken Mobile push services server.
  • status: Enable/disable the use of FortiToken Mobile push services.

 

Note

  • server-ip: The server IP address is the FortiGate's public IP or public IP address of the device which is upstream and forwarding the push notification responses towards FortiGate (This command is not supported from v6.4.10 onwards).
  • server: This can be a public IP or Domain name (which is resolved to FortiGate's Public IP). This option is not available on v6.4.9 and below.

 

It is possible to configure one IP address at a time under 'server-ip' or 'server'.

 

Warning:

In FortiOS v6.4.10 up to FortiOS v7.4.0 inclusive, unset server-ip and use server configuration only. In these firmware versions, the 'set server-ip' setting is non-functional but still appears in configuration. Attempting to configure it will print the following error message.

 

config sys ftm-push 

    set server-ip X.X.X.X

Missing server address.

object check operator error, -56, discard the setting

Command fail. Return code -56

 

'set server-ip' is fully removed as of FortiOS v7.4.1.

 

In FortiOS v6.4.10 onwards, the 'set server' command is used. This setting provides the flexibility to use a domain name or an IP.

 

config sys ftm-push

    set server site-a.example.com

end

 

Or:

 

config sys ftm-push

    set server X.X.X.X

end

 

If the device has a dynamic public IP address:

  • FortiGuard Dynamic DNS can be configured to automatically update the domain name resolving to FortiGate's public IP. See Technical Tip: How to configure Dynamic DNS FortiGate.
  • In FortiOS v7.4.8 onwards and v7.6.4 onwards, 'set interface' can be configured instead of 'set server' to automatically update the server IP address to the current interface address. An interface can be selected instead of specifying an IP/FQDN. FortiGate will automatically use the interface’s current IP, which is especially useful in environments with dynamically assigned WAN addresses

config system ftm-push

set interface "wan1"

end

 

Configuring both 'set server' and 'set interface' is not supported, and if configured will print an error:

 

config sys ftm-push

set interface "wan1"

set server site-a.example.com

end

set either interface or server but not both.
attribute 'interface' set operator error, -651, roll back the setting
Command fail. Return code -651

 

Starting with v7.6.4, server IP/FQDN be configured through the GUI, see Technical Tip: Changing port for push notification configuration.

 

The push notification process runs as follows:

  1. A user with an associated token log-in (SSL VPN, captive portal, etc).
  2. This triggers a token requirement.
  3. FortiGate offers the choice of push notification or entering the token code manually.
  4. If a push notification is selected, FortiGate sends the push notification with the server IP and port configured in CLI to the Apple/Android servers in question.
  5. The message is forwarded to the user’s mobile from there.
  6. The mobile sends the reply to the server IP and port defined in FortiGate CLI and contained within the push notification.

 

Requirements for FortiToken Mobile push to work properly.

  1. The FortiToken Mobile service and ping must be allowed on the interface that will receive the FortiToken Mobile response.

 

config system interface

    edit <name>

        set allowaccess ftm ping

    next

end

 

  1. There must be at least one administrator account with no trusted hosts configured: If there are company policies in place that do not allow for exposing the FortiGate in such a manner (as this also means FortiGate will react to ping/ssh/https prompts on interfaces with such enabled), configure a local-in policy instead and ensure the port used for the push is allowed inbound. See Technical Tip: Impact of Local-In Policies and Trusted Hosts Configuration on FortiGate Access for information on how to replace the trusted hosts with a local-in policy.

 

  1. If the FortiGate with push notification enabled is behind a router/other firewall that performs NATing, then a virtual IP/port forwarding must be configured on that unit to allow responses to reach the FortiGate.

 

Note:

IKEv1 does not support FortiToken Mobile Push. If FortiToken Mobile Push is enabled globally on the FortiGate, FortiToken Mobile Users will not be able to login to IKEv1 dialup VPN.

 

Push notifications are supported for IPsec (IKEv2) starting from:

  • FortiOS versions: v7.2.8, v7.4.4, v7.6.0.

  • FortiClient versions:

    • v7.2.4 and above for Windows.
    • v7.2.5 and above for MAC.
    • v7.2.5 and above for Linux.

More information on supported versions can be found in the article Technical Tip: Required firmware/software versions for using FortiToken Mobile or OTP MFA with Forti....

 

The IPSec dial-up connection with an IOS device will fail to connect if using the FortiToken MFA, as it will not receive the token push. As a workaround, include the token in the password field while connecting:

  • Password: p@ssw0rd
  • Token Code345678

The user will enter p@ssw0rd345678 when prompted for the password.

 

Related documents:

DDNS

Troubleshooting Tip: FTM-Push notification configured but not working

Technical Tip: How to provision FortiToken cloud

Technical Tip: FortiGate support for FTM push for firewall policy authentication

Technical Tip: FTM Push Notification failing with Error - 'Token denied or timeout (-7105)'

49577
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.