Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortiFWuser
New Contributor II

Fortitokens to new FW

Hello 

 

I have a replacement of a firewall that has several fortitokens in use

I have restored the backup in the new fw 

the fortitokens are copied but not with all the details

 

I suppose that in the new fw I should register them again. 

 

The users will have impact?

Has anyone performed anything similar before?

 

Thanks and regards, 

Konstantinos

3 REPLIES 3
warshad
Staff
Staff

Hello, 

 

Unfortunately, you will have to re-provision every user, which means to bind a new token to user’s mobile app again:

 

I have found these document:

 

https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-Migrating-users-and-FortiTokens-t...

 

https://docs.fortinet.com/document/forticonverter-service/20.1.0/online-help/330976/migrate-fortitok...

 

Could you please have a look and tell me if it helped?

If not, we will continue to look for another solution.

 

 

Waqas Arshad
Fortinet
Yurisk
Valued Contributor

No easy way to do so that I know of. When one of our clients replaced FGT with new one, we had to re-provision > 100 FTMs, not fun. We disabled MFA for users temporarily and re-enrolled users in small batches. Yes, users will be affected - will get authentication error on using tokens until re-enrolled to the new FGT. 

Yuri
https://yurisk.info/ blog: All things Fortinet, no ads.


All opinions are mine only.
Markus_M
Staff
Staff

Hey Yuri,

 

It is actually a different process on FTM or FTK.

FTM: the tokens are part of a license number, starting with EFTMxxx. This license must be moved from the old device to the new device.

Once moved, you can activate the activation code for that license there, and the tokens would appear again. Then you have to assign the tokens to the users. The easy way is to copy the part from "config user local" with the respective users and the token serial numbers, paste it into the new config and the tokens get assigned quick. They have to be activated as well.

 

FTK (hardware). These are activated by serial number. TAC has to reset the serial numbers. Once done, you can do the same, copy "config user local" sections with the tokens to the new firewall and the tokens then are activated already.

 

Best regards,

 

Markus