Description

This article describes how to configure FortiToken mobile push notifications.

Scope

FortiGate.

Solution

FortiGates with associated mobile FortiTokens can be configured to send push notifications: Instead of requiring users to submit the token code manually, it can simply confirm the login attempt on the same mobile their token is registered on.

Apple (APNS) and Google (GCM/FCM) provide the push service for iPhone and Android, respectively. This helps to avoid locking Tokens after disabling an already enabled two-factor authentication user.

Mobile token push notifications can be configured via CLI only.

FTM-Push includes the following configurations depending on the version of FortiGate :

config  sys ftm-push 

get

server-port         : 4433

server-cert         : Fortinet_Factory

server-ip           : 0.0.0.0

server              :

status              : disable

server-port : Port to communicate with Fortitokens Mobile push services server (1 - 65535, default = 4433).

server-cert: Name of the server certificate to be used for SSL (default = Fortinet_Factory).

server-ip: IPv4 address of FortiToken Mobile push services server (format: xxx.xxx.xxx.xxx).(not supported from 6.4.10 onwards).

server: IPv4 address or domain name of FortiToken Mobile push services server.

status : Enable/disable the use of FortiToken Mobile push services.

Note: 

server-ip: The server IP address is the FortiGate's public IP or public IP address of the device which is upstream and forwarding the push notification responses towards FortiGate (This command is not supported from v6.4.10 onwards).

server: This can be a public IP or Domain name (which is resolved to FortiGate's Public IP). This option is not available on v6.4.9 and below.

Also, it is possible to add one IP address at a time under 'server-ip' or 'server'.

From v6.4.10 and above, as well as in v7.0, v7.2, v7.4, v7.6:

The 'set server-ip' command is not in use anymore and will print the following error message (X.X.X.X: replace this with Public  IP address):

config  sys ftm-push 

    set server-ip X.X.X.X

Missing server address.

object check operator error, -56, discard the setting

Command fail. Return code -56

Instead of 'set server-ip', the 'set server'  command can be used from v6.4.10 onwards.

'set server' command provides the flexibility to use a domain name or an IP.

FortiDDNS server can be used to set the domain name against FortiGate's public IP.

config  sys ftm-push

    set server example.fortinet.com

end

Or:

config  sys ftm-push

    set server X.X.X.X

end

Configuring  both  'set server-ip' and # 'set server' is also not supported and if being used it will be followed by the error:

config  sys ftm-push 

    set server example.fortinet.com

    set server-ip X.X.X.X

end

Warning: Unset server-ip and use server configuration only.

The push notification process runs as follows:

1. A user with an associated token log-in (SSL VPN, captive portal, etc).
2. This triggers a token requirement.
3. FortiGate offers the choice of push notification or entering the token code manually.
4. If a push notification is selected, FortiGate sends the push notification with the server IP and port configured in CLI to the Apple/Android servers in question.
5. The message is forwarded to the user’s mobile from there.
6. The mobile sends the reply to the server IP and port defined in FortiGate CLI and contained within the push notification.

Requirements for FTM push to work properly.

1. The FortiToken Mobile service and ping must be allowed on the FortiToken Mobile response receiving interface:

config system interface

    edit <name>

        set allowaccess ftm ping

    next

end

2. There must be at least one administrator account with no trusted hosts configured:

If there are company policies in place that do not allow for exposing the FortiGate in such a manner (as this also means FortiGate will react to ping/ssh/https prompts on interfaces with such enabled), configure a local-in policy instead and ensure the port used for the push is allowed inbound. See Technical Tip: Impact of Local-In Policies and Trusted Hosts Configuration on FortiGate Access for information on how to replace the trusted hosts with a local-in policy.

3. If the FortiGate with push notification enabled is behind a router/other firewall that performs NATing, then a virtual IP/port forwarding must be configured on that unit to allow responses to reach the FortiGate.

Note:

Push notifications are fully supported for IPsec (IKEv2) starting from:

• FortiOS v7.2.8.

• FortiClient versions:
  

  • v7.2.4 and above for Windows.
  • v7.2.5 and above for MAC.
  • v7.2.5 and above for Linux.

Related documents:

• DDNS
• Troubleshooting Tip: FTM-Push notification configured but not working
• Technical Tip: How to provision FortiToken cloud
• Technical Tip: FortiGate support for FTM push for firewall policy authentication
• Technical Tip: FTM Push Notification failing with Error - 'Token denied or timeout (-7105)'