FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
princes
Staff
Staff
Article Id 357944
Description This article describes the issue with certificates in Push notifications on mobile Tokens.
Scope FortiGate, FortiToken.
Solution

After configuring the FTM-Push settings the user gets SSL secure connection failure, this is triggered due to the in-built self-sign certificate on FortiGate. Ensure the reachability to the server on the defined port.

 

This is the default certificate for the FTM-Push config:

 

iron-kvm37 # config sys ftm-push

iron-kvm37 (ftm-push) # sh full
config system ftm-push
    set proxy enable
    set server-port 4433
    set server-cert "Fortinet_GUI_Server"   <----- Default certificate not recommended to install on endpoints.
    set server ''

The default certificate is neither trusted nor recommended for TLS authentication, leading to the failure of SSL secure connections.

 

The below debug can be seen on FortiGate debug :

 

diagnose debug  app ftm-push -1
diagnose debug enable

 

SSL secure connection failed, failed to validate cert <cert-name>

 

Change the default in the build certificate or use the same certificate used in the SSL VPN configuration.

 

In Cloud environments, make sure the next hop (where Public IP is available) can relay the traffic for port 4433 or the ports can be customized as per the requirement.

 

Related articles:

Troubleshooting Tip: FTM-Push notification configured but not working

Technical Tip: How to provision FortiToken cloud