Just want to ask a question regarding FortiTokens and 2FA, but will give some info first.
Firmware on both 6.2.2
We wanted to move away from PBR on our main 300D Fortigate. Had a spare 300D, so decided to restore the config and setup the spare with SD-WAN for Load balancing between 3 ISP's.
All went well, swapped the cables around this morning and all fine.
I did setup a spare account to log in as I still needed to sort out the 2FA on my restored account, used one of the two free Tokens that comes with the Gate
Then I just tried logging in first with the account that was restored. I then used the Token that was setup by the old firewall, and it worked.... So my FortiToken App on my phone says the token belongs to a FG with serial no 12345 yet that's the old FG but the same Token Works 100% on the new FW with serial no 54321.... Isn't that a security risk, using a code that is generated for a Firewall with a specific serial no or does the App not tie the generated code to the serial no of the fortigate?
Added a screenshot of the App on my phone.
The FortiToken automatically changed serial number to one of the new two free tokens, but the issuer is still the old Fortigate serial number....
When you transfer/migrate config with tokens already assigned/activated to another firewall,
they should work just fine with new firewall and no changes are required, yet. You would however need
to transfer fortitoken mobile license to the new device (open ticket with Customer Service for that). This is because if the license is still bound to old firewall and you do some changes with the tokens in new firewall, they will get in status error and you would not be able to re-download them, assign them or anything really. So best practice is to have the license transferred around same time as the migration is done.