Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akanibek
Staff
Staff

Created on ‎06-28-2024 09:06 AM Edited on ‎06-28-2024 09:06 AM By Community Manager

Article Id 323147

Technical Tip: Managing FTMs between FortiGate HA Active-Passive cluster members

Description This article describes an availability to manage shared FTM licenses between FortiGate HA Active-Passive cluster members.
Scope

FortiGate v7.0.14 GA, FTM license.
Solution

Consider that a FortiGate HA cluster has already been configured, and start configuring an Active node to add an FTM license.

If it has not been done yet, follow official docs to form a desired HA cluster:

 

  1. Add FTMs to the Active node:

 

AddtoPri.png

 

{ "d": { "__type": "SoftToken.ActivationLicenseRequest", "__version": "4", "license_activation_code": "1111-2222-3333-4444-5555", "serial_number": "FGVM01TM00000066", "__device_version": "7.0", "__device_build": "0601", "__clustered_sns": [ { "sn": "FGVM01TM00000066" }, { "sn": "FGVM01TM00000067" } ] } }

2024-06-28 16:50:19 ftm_fc_comm_recv_response[266]:receive packet success.

{"d":{"__type":"SoftToken.ActivationLicenseResponse","__version":"4","serial_number":"FGVM01TM000000066","__device_version":"7.0","__device_build":"0601","__clustered_sns":[{"sn":"FGVM01TM00000066","error":null},{"sn":"FGVM01TM00000067","error":null}],"license_activation_code":"184B-017F-E73E-2F01-6E2D","license":"EFTM000000000031","tokens":[{"token":"FTKMOB...."},{"token":"FTKMOB...."},{"token":"FTKMOB...."},{"token":"FTKMOB...."},{"token":"FTKMOB...."}],"result":2,"error":null}}

 

  1. Tokens list:

 

fgt-primary (root) # diagnose fortitoken info

FORTITOKEN       DRIFT  STATUS

FTKMOB0000000097 0      new

FTKMOB00000000F8 0      new

FTKMOB00000000B7 0      new

FTKMOB00000000EE 0      new

FTKMOB0000000045 0      provisioned

FTKMOB00000000B1 0      new

FTKMOB0000000064 0      new

Total activated token: 0

Total global activated token: 0

 

  1. Assign a token to a local user 'tokenuser', the screenshot shows the token already has been provisioned:

 

provisionsToken.png

 

  1. Failover to Secondary node, tokens are synced:

 

fgt-sec (root) # diagnose fortitoken info

FORTITOKEN       DRIFT  STATUS

FTKMOB0000000097 0      new

FTKMOB00000000F8 0      new

FTKMOB00000000B7 0      new

FTKMOB00000000EE 0      new

FTKMOB0000000045 0      provisioned

FTKMOB00000000B1 0      new

FTKMOB0000000064 0      new

Total activated token: 0

Total global activated token: 0

 

  1. Testing local user account 'tokenuser' for password and 2FA code via the CLI on the active secondary node:

 

fgt-sec (root) # diagnose test authserver local vpngroup tokenuser [password]
Token Code:******
authenticate user 'tokenuser' in group 'vpngroup' succeeded

 

  1. Provisioning a new token to a user tokenuser2, and test 2FA code on the same active Secondary node:

 

provisionsToken2.png

 

fgt-sec (root) # diagnose test authserver local vpngroup tokenuser2 [password]
Token Code:******
authenticate user 'tokenuser2' in group 'vpngroup' succeeded

 

  1. Reverting to the Primary node, and testing 'tokenuser2' on an active Primary node:

 

fgt-primary (root) #
fgt-primary (root) # diag test authserver local vpngroup tokenuser2 [password]
Token Code:******
authenticate user 'tokenuser2' in group 'vpngroup' succeeded

 

 

Related articles:

Technical Note: FortiToken basic troubleshooting

Technical Tip: Restoring an accidentally deleted trial or licensed FortiToken Mobile (FTM)

Technical Tip: Free FortiTokenMobile in HA 
67
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.