Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
shaheryar_akhter
New Contributor

FortiGate does not send Two-Factor activation code

Hi,

 

Our Foritgate appliance is configured to send email alerts, which are being received for all the desired events. However, when using FortiToken, we do not get our activation code via email. While the firewall shows that the email has been sent successfully. 

 

Is there a way to track outgoing email from our FortiGate appliance? 

 

Version: 6.0

14 REPLIES 14
Toshi_Esumi
Esteemed Contributor II

We were told before by FTNT SE we should have a proper (or paid) SMTP server/service to send email out from any FGTs. The default one is undocumented server according to him.

 

Toshi

pminarik

There is no "solution" because that's how SPF works.


You can either permit "notifications.fortinet.net" to be a valid sender, or you can live with the SPF errors, or you can use a different mailserver that you already permit with your SPF TXT record.

[ corrections always welcome ]
abelio
Valued Contributor

Hi,
notification.fortinet.net.  SPF record is  "v=spf1 mx a ip4:208.91.112.0/22 ~all"

so, you (and gmail for instance)  has the option to NOT-reject because the "~all" switch

Anyway, I agree with Toshi_Esumi about the recommended way is use a proper SMTP service where you have full control of the headers, IPs, reply-to

(Specially with gmail, who is became a bit annoying with this topic nowadays)


regards


__ Abel

fstinfra
New Contributor

Hello Everyone, I'm having recently the same problem on our fortigate appliances, for this example I'm using a 100E and a 40F.

 

While using the fortigate default mail servers, I always got an error 500 that is similar to what SJFriedl explained above, and if I use any external mail service the messages are never sent.

 

What I have tried so far, on both:

- Using the default fortigate mail service, removing and re-adding the token to the user, sending throughout the token add process or right-clicking on the user to resend it

- Using a different email service, all validated locally with swaks to send mail using using all tree security methods, none(25), smtps(465), and starttls(25), also with authentication when available

- create a firewall rule from all gateway IPs (the appliance address on each interface) to have full access to the mail server on any port (but don't know if its needed, couldn't find any infos that an specific rule would be needed to allow the firewall itself to send emails

- using a public email server instead of our main one to validate if it was a local problem, works fine with all simulations using swaks but same results on the firewall.

 

For now its a big blocker here, since we use the 2fa for quite some time and only noticed when someone from our team changed his phone and needed to be sent the token infos again, and was not possible. Also the 40F is a brand new box with the latest firmware, that will validate if we have any issues on our other box that is not on the latest version.

 

Is there any way to fix this, or even get the tokens manually from the firewall to setup the 2fa for the users?

 

pminarik

The activation code is visible in System Event log, and also in the CLI: show user local <username>. The user can manually enter the activation code in their FortiToken mobile app to activate the token. (note that activation codes are by default valid for three days only)

 

As for troubleshooting the issue itself: You have clearly done plenty of testing already, and I doubt that forum chatter would be of much help to you. I would recommend opening a support case with the TAC to help you troubleshoot the issue more directly.

[ corrections always welcome ]