Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Renante_Era
Staff
Staff

Created on ‎08-31-2022 02:09 PM Edited on ‎05-25-2023 06:15 AM By Moderator

Article Id 222439

Troubleshooting Tip: FTM-Push notification configured but not working

Description This article describes the process of initial ftm-push troubleshooting.
Scope FortiGate, FortiToken.
Solution

The following are troubleshooting tips that need to perform post after configuring the FortiToken mobile push notification, but unable to log in after tapping 'Approve' on the FortiToken Mobile Apps.

 

1) Check if FTM is enabled in the Administrative Access of the wan interface under Network - > Interfaces.

 

Renante_Era_0-1661967250180.png

 

2) Verify the server-ip address set in ftm-push and ensure that the status is enabled. In general, use 0.0.0.0 unless one has a specific reason to specify the public IP address.

Keep in mind that specifying a public IP address in server-ip might impact ftm-push fail-over when the device encountered an ISP issue.

 

show full system ftm-push

 

3) Note the server-port from the output of the above command and ensure that there is no overlapping port issue under Policy & Objects - > Virtual IPs.

Update that port if needed.

For instance, if port forwarding is configured under Virtual IPs for port 4433, and there are no conflicts for 20443, then use the following commands:

 

config system ftm-push

    set server-port 20443

end

 

4) Verify that the server-port is not blocked in local-in-policy.

 

sh full firewall local-in-policy

 

5) If the FortiGate is using internal DNS and DNS server replies to a different IP than the Public IP, then change the ftm-push config to the Public IP instead of the domain name.

 

Testing the name resolution:

execute ping <Domain Name>

 

If the resolution is different from your Public IP then adapt the config:

config system ftm-push

    set server <Public IP>

end

 

6) Run debug flow and ensure that the message 'iprope_in_check() check failed, drop' is not seen, which might indicate that the inbound ftm-push traffic is blocked due to Trusted Hosts configured under System - > Administrators.

 

di de res

di de fl filter cl

di de cons t en

di de fl sh f en

di de fl sh iprope en

di de fl filter addr  x.x.x.x <- where x.x.x.x is the corresponding public IP address for ftm-push.

di de fl filter port yyy <- where yyy is the port number assigned to server-port in ftm-push.

di de fl tr start 99

di de en

 

Next, test ftm-push, and disable debug flow once done using the following commands:

 

di de res

di de dis

 

7) If the issue persists after following the above steps, then gather the following debug and create a ticket.

 

di de res

di de app ftm-push -1

di de en

 

Finally, test ftm-push, and disable debug flow once done using the following commands:

 

di de res

di de dis

 

6094
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.