DescriptionThis article describes the way to use FortiToken in multiple units (Not recommended in production).
Basically, It is advised to try it in a test/lab environment.SolutionFortiToken are different types and not all of them can be used on multiple units, below the detailed information for every type of FortiToken and the usage of them:
Model
| Serial Number Prefix
|
|
FortiToken-200
| FTK200
| Hardware
Online activation and seeds stored in FortiGuard
One-time activation lock automatically applied
Local assignment on FGT/FAC
Parallel use on multi-host possible
|
FortiToken-220
| FTK220
| Hardware Online activation and seeds stored in FortiGuard
One-time activation lock automatically applied
Local assignment on FGT/FAC
Parallel use on multi-host possible
|
FortiToken-200-CD
| FTK211
| Hardware
Offline, no connection for activation needed
Seeds on CD only
Suitable for closed environments
Parallel use on multi-host possible
|
FortiToken Mobile
| FTKMOB
| Software
iOS/Android/Windows Phone8 support
License locked to FGT/FAC serial number
HA cluster supported via shared license
FortiCare assisted provisioning
Multi-host use Prohibited!
Online connection to FortiCare needed for activation and also for token management!
|
There are two modes for FortiToken:
- 'normal' – token is automatically locked by FDS when activated.
One-time-activation-lock applied and any other activation attempt is prohibited. Even from same unit as previous/first one.
- 'unlimited' means DEMO token with locking mechanism disabled and without any activation tracking.
Therefore, such token can be activated from any number of units, even from those not belonging to the customer! And without any evidence or notification of this action.
DO NOT USE SUCH TOKEN IN PRODUCTION AT ALL!! SUCH TOKEN HAS TO BE CONSIDERED COMPROMISED ALREADY!!
To use FortiToken for testing purposes, it is necessary to request it through Support Portal and create a Ticket for this purpose.
Send the Serial Number of the FortiToken necessary to change the mode.
Also, to proceed, it is necessary to accept the FortiToken Disclaimer like below:
'Fortinet notes that by marking the FortiToken unlimited, Fortinet is complying with your request and disclaims any later changes related to this FortiToken. If the FortiToken is changed to 'one-time' default, for example, to place into production, Fortinet is not responsible for any support related to such changes. Fortinet disclaims in full any guarantees or liability related to the requested change as it is outside the scope of the intended use of FortiToken. Fortinet further disclaims any liability for damages directly or indirectly caused by operating the tokens in a production environment in 'unlimited' mode.'
Note.
FTK200CD are recommended for this purpose.
These tokens come with an activation file on CD.
This can be used for multiple activations on multiple devices without the concern for the security vulnerability of FTK-200 unlimited online activation.
Related Articles
Technical Tip: Forti-Mobile token configuration in detail
Technical Note: How to restore licensed FortiToken mobile tokens
Technical Tip: Restoring accidentally deleted FortiToken Mobile
Technical Tip: Migrating users and FortiTokens to another FortiGate/FortiAuthenticator
