FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akanibek
Staff
Staff
Article Id 323147
Description This article describes the availability to manage shared FortiToken Mobile licenses between FortiGate HA Active-Passive cluster members.
Scope

FortiGate v7.0.14 GA, FTM license (EFTM-number).

Solution

Consider that a FortiGate HA cluster has already been configured, and start configuring an Active node to add an FTM license.

If it has not been done yet, follow the official docs to form a desired HA cluster:

 

  1. Add FTMs to the Active node:

 

AddtoPri.png

 

{ "d": { "__type": "SoftToken.ActivationLicenseRequest", "__version": "4", "license_activation_code": "1111-2222-3333-4444-5555", "serial_number": "FGVM01TM00000066", "__device_version": "7.0", "__device_build": "0601", "__clustered_sns": [ { "sn": "FGVM01TM00000066" }, { "sn": "FGVM01TM00000067" } ] } }

2024-06-28 16:50:19 ftm_fc_comm_recv_response[266]:receive packet success.

{"d":{"__type":"SoftToken.ActivationLicenseResponse","__version":"4","serial_number":"FGVM01TM000000066","__device_version":"7.0","__device_build":"0601","__clustered_sns":[{"sn":"FGVM01TM00000066","error":null},{"sn":"FGVM01TM00000067","error":null}],"license_activation_code":"184B-017F-E73E-2F01-6E2D","license":"EFTM000000000031","tokens":[{"token":"FTKMOB...."},{"token":"FTKMOB...."},{"token":"FTKMOB...."},{"token":"FTKMOB...."},{"token":"FTKMOB...."}],"result":2,"error":null}}

 

  1. Tokens list:

 

fgt-primary (root) # diagnose fortitoken info

FORTITOKEN       DRIFT  STATUS

FTKMOB0000000097 0      new

FTKMOB00000000F8 0      new

FTKMOB00000000B7 0      new

FTKMOB00000000EE 0      new

FTKMOB0000000045 0      provisioned

FTKMOB00000000B1 0      new

FTKMOB0000000064 0      new

Total activated token: 0

Total global activated token: 0

 

  1. Assign a token to a local user 'tokenuser', the screenshot shows the token already has been provisioned:

 

provisionsToken.png

 

  1. Failover to the Secondary node, and observe that the tokens and states are synced:

 

fgt-sec (root) # diagnose fortitoken info

FORTITOKEN       DRIFT  STATUS

FTKMOB0000000097 0      new

FTKMOB00000000F8 0      new

FTKMOB00000000B7 0      new

FTKMOB00000000EE 0      new

FTKMOB0000000045 0      provisioned

FTKMOB00000000B1 0      new

FTKMOB0000000064 0      new

Total activated token: 0

Total global activated token: 0

 

  1. Testing local user account 'tokenuser' for password and 2FA code via the CLI on the active secondary node:

 

fgt-sec (root) # diagnose test authserver local vpngroup tokenuser [password]
Token Code:******
authenticate user 'tokenuser' in group 'vpngroup' succeeded

 

  1. Provisioning a new token to a user tokenuser2, and test 2FA code on the same active Secondary node:

 

provisionsToken2.png

 

fgt-sec (root) # diagnose test authserver local vpngroup tokenuser2 [password]
Token Code:******
authenticate user 'tokenuser2' in group 'vpngroup' succeeded

 

  1. Reverting to the Primary node, and testing 'tokenuser2' on an active Primary node:

 

fgt-primary (root) #
fgt-primary (root) # diag test authserver local vpngroup tokenuser2 [password]
Token Code:******
authenticate user 'tokenuser2' in group 'vpngroup' succeeded

 

 

Related articles:

Technical Note: FortiToken basic troubleshooting

Technical Tip: Restoring an accidentally deleted trial or licensed FortiToken Mobile (FTM)

Technical Tip: Free FortiTokenMobile in HA