Description

This article describes how to configure FortiToken mobile push notifications.

Scope

FortiGate.

Solution

FortiGates with associated mobile FortiTokens can be configured to send push notifications: Instead of requiring users to submit the token code manually, it can simply confirm the login attempt on the same mobile their token is registered on.

Apple (APNS) and Google (GCM/FCM) provide the push service for iPhone and Android, respectively. This helps to avoid locking Tokens after disabling an already enabled two-factor authentication user.

FortiToken Mobile Push notifications can be configured via CLI only. If in multi-VDOM mode, ftm-push is configured in global VDOM.

FortiToken Mobile Push includes the following configurations depending on the version of FortiGate :

get system ftm-push 

server-port         : 4433

server-cert         : Fortinet_Factory

server-ip           : 0.0.0.0

server              :

status              : disable

• server-port: Port to communicate with FortiToken Mobile push services server (1 - 65535, default = 4433).
• server-cert: Name of the server certificate to be used for SSL (default = Fortinet_Factory).
• server-ip: IPv4 address of FortiToken Mobile push services server (format: xxx.xxx.xxx.xxx).(not supported from 6.4.10 onwards).
• server: IPv4 address or domain name of FortiToken Mobile push services server.
• status: Enable/disable the use of FortiToken Mobile push services.

Note: 

• server-ip: The server IP address is the FortiGate's public IP or public IP address of the device which is upstream and forwarding the push notification responses towards FortiGate (This command is not supported from v6.4.10 onwards).
• server: This can be a public IP or Domain name (which is resolved to FortiGate's Public IP). This option is not available on v6.4.9 and below.

It is possible to add one IP address at a time under 'server-ip' or 'server'.

From v6.4.10 and above, as well as in v7.0, v7.2, v7.4, v7.6:

The 'set server-ip' command is not in use anymore and will print the following error message (X.X.X.X: replace this with Public  IP address):

config sys ftm-push 

    set server-ip X.X.X.X

Missing server address.

object check operator error, -56, discard the setting

Command fail. Return code -56

Instead of 'set server-ip', the 'set server'  command can be used from v6.4.10 onwards.

'set server' command provides the flexibility to use a domain name or an IP. FortiDDNS server can be used to set the domain name against FortiGate's public IP.

config sys ftm-push

    set server example.fortinet.com

end

Or:

config sys ftm-push

    set server X.X.X.X

end

Configuring both 'set server-ip' and # 'set server' is also not supported, and if being use,d it will be followed by the error:

config sys ftm-push 

    set server example.fortinet.com

    set server-ip X.X.X.X

end

Starting with v7.6.4, Server-IP  can be configured through the GUI: Technical Tip: Changing port for push notification configuration

Warning:

Unset server-ip and use server configuration only.

The push notification process runs as follows:

1. A user with an associated token log-in (SSL VPN, captive portal, etc).
2. This triggers a token requirement.
3. FortiGate offers the choice of push notification or entering the token code manually.
4. If a push notification is selected, FortiGate sends the push notification with the server IP and port configured in CLI to the Apple/Android servers in question.
5. The message is forwarded to the user’s mobile from there.
6. The mobile sends the reply to the server IP and port defined in FortiGate CLI and contained within the push notification.

Requirements for FortiToken Mobile push to work properly.

1. The FortiToken Mobile service and ping must be allowed on the FortiToken Mobile response receiving interface:

config system interface

    edit <name>

        set allowaccess ftm ping

    next

end

2. There must be at least one administrator account with no trusted hosts configured: If there are company policies in place that do not allow for exposing the FortiGate in such a manner (as this also means FortiGate will react to ping/ssh/https prompts on interfaces with such enabled), configure a local-in policy instead and ensure the port used for the push is allowed inbound. See Technical Tip: Impact of Local-In Policies and Trusted Hosts Configuration on FortiGate Access for information on how to replace the trusted hosts with a local-in policy.

3. If the FortiGate with push notification enabled is behind a router/other firewall that performs NATing, then a virtual IP/port forwarding must be configured on that unit to allow responses to reach the FortiGate.

Note:

IKEv1 does not support FortiToken Mobile Push. If FortiToken Mobile Push is enabled globally on the FortiGate, FortiToken Mobile Users will not be able to login to IKEv1 dialup VPN.

Push notifications are fully supported for IPsec (IKEv2) starting from:

• v7.2.8.

• FortiClient versions:
  

  • v7.2.4 and above for Windows.
  • v7.2.5 and above for MAC.
  • v7.2.5 and above for Linux.

Related documents:

DDNS

Troubleshooting Tip: FTM-Push notification configured but not working

Technical Tip: How to provision FortiToken cloud

Technical Tip: FortiGate support for FTM push for firewall policy authentication

Technical Tip: FTM Push Notification failing with Error - 'Token denied or timeout (-7105)'