FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
oconnort
Staff
Staff
Article Id 195578

Description

 

This article describes how to configure FortiToken mobile push notifications.

 

Scope

 

FortiGate.

 

Solution

 

FortiGates with associated mobile FortiTokens can be configured to send push notifications: Instead of requiring users to submit the token code manually, it can simply confirm the login attempt on the same mobile their token is registered on.

 

Apple (APNS) and Google (GCM/FCM) provide the push service for iPhone and Android, respectively. This helps to avoid locking Tokens after disabling an already enabled two-factor authentication user.

 

Mobile token push notifications can be configured via CLI only.

 

FTM-Push includes the following configurations depending on the version of FortiGate :

 

config  sys ftm-push 

get

server-port         : 4433

server-cert         : Fortinet_Factory

server-ip           : 0.0.0.0

server              :

status              : disable

 

server-port : Port to communicate with Fortitokens Mobile push services server (1 - 65535, default = 4433).

server-cert: Name of the server certificate to be used for SSL (default = Fortinet_Factory).

server-ip: IPv4 address of FortiToken Mobile push services server (format: xxx.xxx.xxx.xxx).(not supported from 6.4.10 onwards).

server: IPv4 address or domain name of FortiToken Mobile push services server.

status : Enable/disable the use of FortiToken Mobile push services.

 

Note: 

server-ip : The server IP address is the FortiGate's public IP or public IP address of device which is upstream and forwarding the  push notification responses towards FortiGate. (This command is not supported from 6.4.10 onwards).

server : This can be public IP or Domain name(which resolved to FortiGate's Public IP).This option is not available  on 6.4.9 and below

Also you can add one IP address at a time under "server-ip" or "server".

 

From 6.4.10 onwards:

 

# "set server-ip" command is not in use any more and will print the following error message:

X.X.X.X---> replace this with Public  IP address

 

config  sys ftm-push 

set server-ip X.X.X.X

Missing server address.

object check operator error, -56, discard the setting

Command fail. Return code -56

 

Instead of # 'set server-ip' , the # 'set server'  command  can be used on 6.4.10 onwards.

 

# 'set server' command provides the flexibility to use a domain name or  an IP.

FortiDDNS server can be used to set the domain name against the FortiGate's public IP.

 

config  sys ftm-push

set server example.fortinet.com

end

 

Or

 

config  sys ftm-push

set server X.X.X.X

end

 

Configuring  both  # 'set server-ip' and # 'set server' is also not supported and if being used it will be followed by error:

 

config  sys ftm-push 

set server example.fortinet.com

set server-ip X.X.X.X

end

 

WARNING: Unset server-ip and use server configuration only.

 

The push notification process runs as follows:

  1. A user with an associated token log in (SSLVPN, captive portal, etc).
  2. This triggers a token requirement.
  3. FortiGate offers the choice of push notification or entering the token code manually.
  4. If a push notification is selected, FortiGate sends the push notification with the server IP and port configured in CLI to the Apple/Android servers in question.
  5. The message is forwarded to the user’s mobile from there.
  6. The mobile sends the reply to the server IP and port defined in FortiGate CLI and contained within the push notification.

 

Requirements for FTM push to work properly

 

  1. The FTM service and ping must be allowed on the FTM response receiving interface:

 

config system interface

    edit <name>

        set allowaccess ftm ping

    next

end

 

  1. There must be at least one administrator account with no trusted hosts configured:

 

If there are company policies in place that do not allow for exposing the FortiGate in such a manner (as this also means FortiGate will react to ping/ssh/https prompts on interfaces with such enabled), the only other option is to use FortiToken Cloud; FortiToken Cloud does not require an administrator with no trusted hosts to be configured and is also capable of push notification.

 

  1. If the FortiGate with push notification enabled is behind a router/other firewall that performs NATing, then a virtual IP/port forwarding must be configured on that unit to allow responses to reach the FortiGate.

 

Note:

Push notifications are fully supported for IPsec (IKEv2) starting from:

  • FortiOS - 7.2.8
  • FortiClient - 7.2.5

 

Related documents:

DDNS

Troubleshooting Tip: FTM-Push notification configured but not working

Technical Tip: How to provision FortiToken cloud

Technical Tip: FortiGate support for FTM push for firewall policy authentication

Technical Tip: FTM Push Notification failing with Error - 'Token denied or timeout (-7105)'