Description
This article describes how to configure FortiToken mobile push notifications.
FortiToken Mobile push notifications let users approve or deny multi-factor authentication (MFA) requests directly on their mobile device. This document explains the FortiToken Mobile push flow, FortiGate configuration, and common troubleshooting checks.
FortiGate running FortiOS that is configured to use FortiToken Mobile for MFA (for example, SSL VPN or administrative access). Examples reference 7.x style configuration. Always confirm the exact CLI options depending on the FortiOS version.
Scope
FortiGate / FortiOS
Solution:
FortiGates with associated mobile FortiTokens can be configured to send push notifications: Instead of requiring users to submit the token code manually, it can simply confirm the login attempt on the same mobile their token is registered on.
Apple (APNS) and Google (GCM/FCM) provide the push service for iPhone and Android, respectively. This helps to avoid locking Tokens after disabling an already enabled two-factor authentication user.
FortiToken Mobile Push notifications can be configured via CLI only. If in multi-VDOM mode, ftm-push is configured in global VDOM.
FortiToken Mobile Push includes the following configurations depending on the version of FortiGate :
Example 1 (common in 7.x CLI references):
config system ftm-push
set status enable
set server <public-ip-or-fqdn>
set server-port 4433
set server-cert "Fortinet_Factory"
set proxy enable
end
Example 2 (seen in some cookbook examples):
config system ftm-push
set status enable
set server-ip <public-ip-address>
set server-port 4433
end
- proxy: Enable/disable communication to the proxy server in FortiGuard configuration.
- interface: (available v7.4.8 onwards). FortiGate interface hosting ftm push service. Used to auto-generate server IPv4 address.
- server-port: Port to communicate with FortiToken Mobile push services server (1 - 65535, default = 4433).
- server-cert: Name of the server certificate to be used for SSL (default = Fortinet_Factory).
- server-ip: (replaced with 'server' setting in v6.4.10 onwards) IPv4 address of FortiToken Mobile push services server.
- server: IPv4 address or domain name of FortiToken Mobile push services server.
- status: Enable/disable the use of FortiToken Mobile push services.
Notes:
- Server-ip: The server IP address is the FortiGate's public IP or public IP address of the device which is upstream and forwarding the push notification responses towards FortiGate (This command is not supported from v6.4.10 onwards).
- Server: This can be a public IP or Domain name (which is resolved to FortiGate's Public IP). This option is not available on v6.4.9 and below.
It is possible to configure one IP address at a time under 'server-ip' or 'server'.
Warning:
In FortiOS v6.4.10 up to FortiOS v7.4.0 inclusive, unset server-ip and use server configuration only. In these firmware versions, the 'set server-ip' setting is non-functional but still appears in configuration. Attempting to configure it will print the following error message.
config sys ftm-push
set server-ip X.X.X.X
Missing server address.
object check operator error, -56, discard the setting
Command fail. Return code -56
'set server-ip' is fully removed as of FortiOS v7.4.1.
In FortiOS v6.4.10 onwards, the 'set server' command is used. This setting provides the flexibility to use a domain name or an IP.
config sys ftm-push
set server site-a.example.com
end
Or:
config sys ftm-push
set server X.X.X.X
end
If the device has a dynamic public IP address:
- FortiGuard Dynamic DNS can be configured to automatically update the domain name resolving to FortiGate's public IP. See Technical Tip: How to configure Dynamic DNS FortiGate.
- In FortiOS v7.4.8 onwards and v7.6.4 onwards, 'set interface' can be configured instead of 'set server' to automatically update the server IP address to the current interface address. An interface can be selected instead of specifying an IP/FQDN. FortiGate will automatically use the interface’s current IP, which is especially useful in environments with dynamically assigned WAN addresses
config system ftm-push
set interface "wan1"
end
Or:
config system interface
edit <wan-interface>
set allowaccess ftm
next
end
Configuring both 'set server' and 'set interface' is not supported, and if configured will print an error:
config sys ftm-push
set interface "wan1"
set server site-a.example.com
end
set either interface or server but not both.
attribute 'interface' set operator error, -651, roll back the setting
Command fail. Return code -651
Starting with v7.6.4, server IP/FQDN be configured through the GUI, see Technical Tip: Changing port for push notification configuration.
The push notification process runs as follows:
- A user with an associated token log-in (SSL VPN, captive portal, etc).
- This triggers a token requirement.
- FortiGate offers the choice of push notification or entering the token code manually.
- If a push notification is selected, FortiGate sends the push notification with the server IP and port configured in CLI to the Apple/Android servers in question.
- The message is forwarded to the user’s mobile from there.
- The mobile sends the reply to the server IP and port defined in FortiGate CLI and contained within the push notification.
Requirements for FortiToken Mobile push to work properly.
- The FortiToken Mobile service and ping must be allowed on the interface that will receive the FortiToken Mobile response.
config system interface
edit <name>
set allowaccess ftm ping
next
end
- There must be at least one administrator account with no trusted hosts configured: If there are company policies in place that do not allow for exposing the FortiGate in such a manner (as this also means FortiGate will react to ping/ssh/https prompts on interfaces with such enabled), configure a local-in policy instead and ensure the port used for the push is allowed inbound. See Technical Tip: Impact of Local-In Policies and Trusted Hosts Configuration on FortiGate Access for information on how to replace the trusted hosts with a local-in policy.
-
If FortiGate sits behind an upstream NAT device, forward the chosen callback port (for example, TCP/4433) from the public IP to the FortiGate interface where 'allowaccess ftm' is enabled. Ensure upstream firewall policy allows the inbound connection.
- If FortiToken Mobile push is used in an authentication flow that depends on RADIUS, ensure the RADIUS timeout is long enough to allow the push notification round-trip (the default 5 seconds is often too short).
CLI:
config user radius
edit <RADIUS server name>
set timeout <value, e.g. 30>
end
Note:
IKEv1 does not support FortiToken Mobile Push. If FortiToken Mobile Push is enabled globally on the FortiGate, FortiToken Mobile Users will not be able to login to IKEv1 dialup VPN.
Push notifications are supported for IPsec (IKEv2) starting from:
- FortiOS versions: v7.2.8, v7.4.4, v7.6.0.
-
FortiClient versions:
- v7.2.4 and above for Windows.
- v7.2.5 and above for MAC.
- v7.2.5 and above for Linux.
More information on supported versions can be found in the article Technical Tip: Required firmware/software versions for using FortiToken Mobile or OTP MFA with Forti....
The IPSec dial-up connection with an IOS device will fail to connect if using the FortiToken MFA, as it will not receive the token push. As a workaround, include the token in the password field while connecting:
The user will enter p@ssw0rd345678 when prompted for the password.
Related documents:
DDNS
Troubleshooting Tip: FTM-Push notification configured but not working
Technical Tip: How to provision FortiToken cloud
Technical Tip: FortiGate support for FTM push for firewall policy authentication
Technical Tip: FTM Push Notification failing with Error - 'Token denied or timeout (-7105)'
Technical Tip: Explaining global 'set remoteauthtimeout', user radius 'set timeout', and how they wo...
Technical Tip: FortiToken Push on FortiAuthenticator: operation flow and details
