| Description |
This article describes how to set up push notifications for FortiToken Mobile in FortiPAM. |
| Scope | FortiPAM v1.5.x, v1.6.x, v1.7.x. |
| Solution |
Set up Topology:
In the above setup, there is a firewall between FortiPAM and the internet. Configure FortiPAM interface to enable push notifications for FortiToken Mobile:
The push server address is the public IP that listens to the response of the push notification message from the user's mobile. For example, the public IP address that hosted on the FortiGate external interface.
By default, FortiPAM listens to the response of push notification on port 4433; this port can be modified using the CLI command:
config system ftm-push set server-port xxxx end
After configuring the above, when the user selects 'Approve' or 'Deny' on the mobile push notification, the response message will be sent to the public IP address that was configured and to the port that is specified in the server-port setting.
In the above example, the response message will reach Firewall's external IP with destination port 4433. By default, there is no port forwarding configured on the Firewall, hence the Firewall will drop it. User will see below error:
To fix the above error, configure port forwarding on the uplink Firewall to forward the response message back to FortiPAM.
Example configuration for FortiGate:
After configuring the port forwarding, the response message will reach FortiPAM, and the token push will be successful.
CLI configuration in FortiPAM includes a setting for 'server-ip”. This setting can be ignored as it cannot be configured. FortiPAM will take the setting under 'server'.
The above output shows server-ip will be 0.0.0.0. This setting is not in use.
Troubleshooting debug commands in the FortiPAM CLI:
diagnose debug reset diagnose debug console timestamp enable diagnose fortitoken debug enable diagnose debug app fnbamd -1 diagnose debug app alert -1 diagnose debug enable |
