Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
matanaskovic
Staff
Staff

Created on ‎10-10-2019 01:42 AM Edited on ‎09-19-2025 02:16 AM By Moderator

Article Id 194574

Technical Tip: FortiToken register and provision process after RMA

Description

 

This article describes the procedure needed to re-register FortiTokens after a FortiGate unit has been replaced following an RMA.

 

Scope

 

FortiToken, FortiGate.

 

Solution

 

  1. Remove tokens that are assigned to users.


On the FortiGate, use the GUI to manually disable Two-factor Authentication or the following commands to create a script for all users who have been assigned FortiTokens:

 

config user local
    edit xxxx                          <----- Replace xxxx with the username of each user.
        unset two-factor
    next
    edit xxxx
        unset two-factor
    next
    ...
end

 

  1. Delete all tokens.
    In the GUI :
    Go to User & Authentication -> FortiTokens.
    Select all Mobile Tokens and select the 'Delete' button.

     

  2. Register the EFTM license on the FortiGate to pull all tokens from that unit.
    During the RMA process, the EFTM license is bound to the FortiGate serial number.
    In the Register process, the License needs to be manually added to the FortiGate after which FortiGuard checks in the background if the added FortiToken license is valid for the FortiGate in question.

     

  • Locate the 20-digit code on the redemption certificate for the license: EFTMXXXXXXXX.
  • Go to User & Device -> FortiTokens and select 'Create New'.
  • Select Mobile Token, and enter the 20-digit certificate code in the Activation Code box.
  • Select OK.

 

  1. Assign and provision tokens to each user who needs to use two-factor authentication.


This can be done in the GUI by enabling Two-factor Authentication for each local user account, or it can be done in CLI with the following process to create a script:

 

config user local
    edit xxxx                          <----- Replace xxxx with the username of each user.
        set two-factor fortitoken
        set fortitoken XXXXXXXXXXXXXXX     <----- Enter the FortiToken number to assign each user.
    next
    edit xxxx
        set two-factor fortitoken
        set fortitoken XXXXXXXXXXXXXXX
    ...
end

 

Tokens will be delivered automatically to the assigned e-mails.

Note: During token provision over CLI, the FortiGate initially checks if the user has an SMS number entered. If SMS is entered per user, the activation code will be sent over SMS. If users only have an email address assigned, then they will receive an email with the Activation code.

  1. Activate FortiToken Mobile tokens.

End-users would need to remove the previous tokens from the FortiToken Mobile app and follow the next procedure to enter them on the FortiToken Mobile application:
FortiToken Mobile - User Instructions

Note: RMA of the HA cluster is using a different process. Refer to Technical Tip: FortiToken register and provision process after RMA in HA environment.

Labels:
16978
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.