FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vdralio
Staff
Staff
Description
This article describes the way to use FortiToken in multiple units (Not recommended in production).

Basically, It is advised to try it in a test/lab environment.

Solution
FortiToken are different types and not all of them can be used on multiple units, below the detailed information for every type of FortiToken and the usage of them:

Model
Serial Number Prefix

FortiToken-200
FTK200
Hardware
Online activation and seeds stored in FortiGuard
One-time activation lock automatically applied
Local assignment on FGT/FAC
Parallel use on multi-host possible
FortiToken-220
FTK220
Hardware Online activation and seeds stored in FortiGuard
One-time activation lock automatically applied
Local assignment on FGT/FAC
Parallel use on multi-host possible
FortiToken-200-CD
FTK211
Hardware
Offline, no connection for activation needed
Seeds on CD only
Suitable for closed environments
Parallel use on multi-host possible
FortiToken Mobile
FTKMOB
Software
iOS/Android/Windows Phone8 support
License locked to FGT/FAC serial number
HA cluster supported via shared license
FortiCare assisted provisioning
Multi-host use Prohibited!
Online connection to FortiCare needed for activation and also for token management!

There are two modes for FortiToken:

- 'normal' – token is automatically locked by FDS when activated.
One-time-activation-lock applied and any other activation attempt is prohibited. Even from same unit as previous/first one.

- 'unlimited' means DEMO token with locking mechanism disabled and without any activation tracking.
Therefore, such token can be activated from any number of units, even from those not belonging to the customer! And without any evidence or notification of this action.
DO NOT USE SUCH TOKEN IN PRODUCTION AT ALL!! SUCH TOKEN HAS TO BE CONSIDERED COMPROMISED ALREADY!!

To use FortiToken for testing purposes, it is necessary to request it through Support Portal and create a Ticket for this purpose.
Send the Serial Number of the FortiToken necessary to change the mode.

Also, to proceed, it is necessary to accept the FortiToken Disclaimer like below:

'Fortinet notes that by marking the FortiToken unlimited, Fortinet is complying with your request and disclaims any later changes related to this FortiToken. If the FortiToken is changed to 'one-time' default, for example, to place into production, Fortinet is not responsible for any support related to such changes. Fortinet disclaims in full any guarantees or liability related to the requested change as it is outside the scope of the intended use of FortiToken. Fortinet further disclaims any liability for damages directly or indirectly caused by operating the tokens in a production environment in 'unlimited' mode.'

Note.
FTK200CD  are recommended for this purpose.
These tokens come with an activation file on CD.
This can be used for multiple activations on multiple devices without the concern for the security vulnerability of FTK-200 unlimited online activation.

Related Articles

Technical Tip: Forti-Mobile token configuration in detail

Technical Note: How to restore licensed FortiToken mobile tokens

Technical Tip: Restoring accidentally deleted FortiToken Mobile

Technical Tip: Migrating users and FortiTokens to another FortiGate/FortiAuthenticator

Contributors