Description
This article describes how to configure FortiToken mobile push notifications.
Scope
FortiGate.
Solution
FortiGates with associated mobile FortiTokens can be configured to send push notifications: Instead of requiring users to submit the token code manually, it can simply confirm the login attempt on the same mobile their token is registered on.
Apple (APNS) and Google (GCM/FCM) provide the push service for iPhone and Android, respectively. This helps to avoid locking Tokens after disabling an already enabled two-factor authentication user.
Mobile token push notifications can be configured via CLI only.
FTM-Push includes the following configurations depending on the version of FortiGate :
config sys ftm-push
get
server-port : 4433
server-cert : Fortinet_Factory
server-ip : 0.0.0.0
server :
status : disable
server-port : Port to communicate with Fortitokens Mobile push services server (1 - 65535, default = 4433).
server-cert: Name of the server certificate to be used for SSL (default = Fortinet_Factory).
server-ip: IPv4 address of FortiToken Mobile push services server (format: xxx.xxx.xxx.xxx).(not supported from 6.4.10 onwards).
server: IPv4 address or domain name of FortiToken Mobile push services server.
status : Enable/disable the use of FortiToken Mobile push services.
Note:
server-ip : The server IP address is the FortiGate's public IP or public IP address of device which is upstream and forwarding the push notification responses towards FortiGate. (This command is not supported from 6.4.10 onwards).
server : This can be public IP or Domain name(which resolved to FortiGate's Public IP).This option is not available on 6.4.9 and below
Also you can add one IP address at a time under "server-ip" or "server".
From 6.4.10 onwards:
# "set server-ip" command is not in use any more and will print the following error message:
X.X.X.X---> replace this with Public IP address
config sys ftm-push
set server-ip X.X.X.X
Missing server address.
object check operator error, -56, discard the setting
Command fail. Return code -56
Instead of # 'set server-ip' , the # 'set server' command can be used on 6.4.10 onwards.
# 'set server' command provides the flexibility to use a domain name or an IP.
FortiDDNS server can be used to set the domain name against the FortiGate's public IP.
config sys ftm-push
set server example.fortinet.com
end
Or
config sys ftm-push
set server X.X.X.X
end
Configuring both # 'set server-ip' and # 'set server' is also not supported and if being used it will be followed by error:
config sys ftm-push
set server example.fortinet.com
set server-ip X.X.X.X
end
WARNING: Unset server-ip and use server configuration only.
The push notification process runs as follows:
Requirements for FTM push to work properly
config system interface
edit <name>
set allowaccess ftm ping
next
end
If there are company policies in place that do not allow for exposing the FortiGate in such a manner (as this also means FortiGate will react to ping/ssh/https prompts on interfaces with such enabled), the only other option is to use FortiToken Cloud; FortiToken Cloud does not require an administrator with no trusted hosts to be configured and is also capable of push notification.
Note:
Push notifications are fully supported for IPsec (IKEv2) starting from:
Related documents:
Troubleshooting Tip: FTM-Push notification configured but not working
Technical Tip: How to provision FortiToken cloud
Technical Tip: FortiGate support for FTM push for firewall policy authentication
Technical Tip: FTM Push Notification failing with Error - 'Token denied or timeout (-7105)'
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.