Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gmanea
Staff
Staff

Created on ‎08-12-2019 12:13 AM Edited on ‎12-25-2024 11:33 PM By Community Manager

Article Id 190300

Technical Tip: Internal Server Error while importing FortiToken Mobile

Description

 

This article describes how to connect to the FortiToken server to be able to download FortiToken Mobile. This issue occurs if the source IP used by the FortiGate is not allowed to be routed, as illustrated below:

 

matanaskovic_0-1653034816692.png

 

Scope

 

FortiGate.

 

Solution

 
In case of an Internal Server Error, while trying to import the FortiTokens, one of the reasons could be a routing issue. To change the source IP used to connect to the FortiGuard, use the following method:
 
For FortiGuard Services :
 
config system fortiguard
    set source-ip 0.0.0.0  <- Set the desired IP allowed upstream.
end
 
 
However, this method does not work for FortiToken servers, in that case, create a static route toward the FortiToken server using the preferred gateway as follows:
 
config router static
    edit 0
        set dst 96.45.36.92 255.255.255.255
        set gateway x.x.x.x  <- Instead of x.x.x.x, use the preferred gateway.
        set device y.y.y.y   <- Instead of y, put the gateway interface.
    next
end
 
Where 63.137.229.3 is the FortiToken registration server IP. This address can be resolved from the following URL: directregistration.fortinet.com
 
If the previous method is unsuccessful, then review the existing FortiGuard configuration. Check the interface selection method and verify FortiGuard connectivity to ensure it is properly established.
 
config system fortiguard
    set interface-select-method specify
    set interface "wan2"
end
 
set interface-select-method  auto<-----  Set outgoing interface automatically.
sdwan <----- Set outgoing interface by SD-WAN or policy routing rules.
specify<----- Set outgoing interface manually.
 
If a specific interface is selected, ensure that the FortiGate has a default route configured for that interface. Verify this by checking the routing table (using the 'get router info routing-table' command) and confirm internet connectivity by pinging an external IP address from that interface.
 
Related article:
 
execute ping-options source <wan2 IP>
execute ping 8.8.8.8
 
To know more about ping options:
 
If SD-WAN is configured for WAN connections, then review the SD-WAN configurations to ensure they are correctly set up. Additionally, verify that the FortiGuard configuration has  " set interface-select-method sdwan".
 
Related article:

As of v6.0.7, this behavior has been changed and the FortiGuard Source IP can be used for connecting to the FortiToken server.
 
If the solution above does not solve the issue, run the following debug:
 
diag debug console timestamp enable

diag debug app forticldd -1

diag debug app alert -1

diagnose fortitoken debug enable

diag debug enable

 

Examine the output of the debug:

 

2023-03-09 10:30:52 ftm_cfg_import_license[324]:import license 0000-0000-0000-0000-0000

2023-03-09 10:30:52 is_trial_tokens_available[55]:No trial tokens are available.

2023-03-09 10:30:52 ftm_fc_comm_connect[38]:ftm cannot resolve DNS

2023-03-09 10:30:52 ftm_fc_command[539]:forticare [ftm2.fortinet.net:443] unreachable

 

Based on the output above, it is possible to see that the FortiToken Mobile server is unreachable. This can be caused by a FortiGuard connectivity issue. It is possible to change the following settings to ensure connectivity to the server.

 

config system fortiguard

    set fortiguard-anycast disable

    set port 8888

    set protocol udp

    set source-ip 0.0.0.0

    set sdns-server-ip 208.91.112.220

end

 

After making these changes, run the following commands to make the changes in effect under FortiGuard settings and let the update be successful. 

   

di de reset 

di de en 

di de  app update -1 

execute update-now 

 

Note that the default protocol and port alongside with disabled fortiguard-anycast service must be reachable. Default values can be found in the config system fortiguard - FortiGate CLI reference.

 

FortiOS's Anycast FTM server domain for AWS has been changed to 'globalftm2.fortinet.net', and settings have been adjusted starting from v7.4.1, for the branches below v7.4.1, it is still ftm2.fortinet.net.
Therefore, if the FortiGate is running below v7.4.1 Anycast with AWS, will fail to add new FortiToken Mobiles. To be able to activate FortiToken Mobile, Anycast should be disabled, or adjusted to the value 'fortinet'.

 

For physical devices, running OS version below 7.4.1, when trying to import the mobile tokens, sometimes the below error is observed from the 'diagnose debug application update -1': 'Error : 19 (Self-signed certificate in certificate chain)'. The below changes can be done on the FortiGate :

 

config system fortiguard

    set fortiguard-anycast enable

    set port 443

    set protocol https

end

 

After that, try to import the tokens again. If the issue persists, contact Fortinet technical support for more assistance.

 

Related articles:

Technical Note: How to control/change the FortiGate source IP for self-generated traffic.

Troubleshooting Tip: import FortiToken license Internal server.

Troubleshooting Tip: FortiGate FortiToken configuration and troubleshooting resource list

16218
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.