Hi all,
all fortigates have two trial licenses for fortitoken mobile. I have locked them and I can't unlcok them. A FTM Admin guide says:
To unlock the locked token in FOS when FortiToken Mobile Provisioning Server is reachable, use the following CLI command: execute fortitoken-mobile renew <ftm-sn>
(By the way it is a terrible command - this command locked my fortitokens)
This command gives me an error:
# execute fortitoken-mobile renew FTKMOB4517CAXXXX renew softtoken FTKMOB4517CAD038 error -7567
(btw - I have seen log messages reference pdf. Is it avialable "cli error messages reference?")
How to check connection to FortiToken Mobile Provisioning Server ? I have ping to fds1.fortinet.com, but it isn't the same.
How to unlock fortitokens? ("set status active" don't work. The status in cli became active, but in GUI status=error )
Any ideas?
Thanks in advance,
Ramunas
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I'd suggest to :
config user fortitoken
edit <token-SN>
set status active / lock <== to switch between Locked and Available/Assigned (Unlocked in general) status
end
regarding the server status :
1.
FGT-VM64-1 (root) # diag fortitoken info FORTITOKEN DRIFT STATUS FTK20019UI7LZAF9 -60 active FTKMOB499F0D6AE2 0 provision timeout FTKMOB4910E74378 0 new Total activated token: 1 Total global activated token: 1 Token server status: reachable
2.
exec ping fds1.fortinet.com <== FortiGuard for HW token registrations exec ping directregistration.fortinet.com <== FortiCare Mobile token management
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Thank you for your answer. Set to active don't work. When I set "active" the status become "unknown" in CLI ("error" in GUI). If I set "lock", the status become locked in CLI and GUI)
FGT40C3912039776 # execute ping fds1.fortinet.com PING fds1.fortinet.com (96.45.33.89): 56 data bytes 64 bytes from 96.45.33.89: icmp_seq=0 ttl=51 time=191.6 ms 64 bytes from 96.45.33.89: icmp_seq=1 ttl=51 time=191.7 ms 64 bytes from 96.45.33.89: icmp_seq=2 ttl=51 time=191.9 ms 64 bytes from 96.45.33.89: icmp_seq=3 ttl=51 time=191.8 ms 64 bytes from 96.45.33.89: icmp_seq=4 ttl=51 time=191.9 ms --- fds1.fortinet.com ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 191.6/191.7/191.9 ms FGT40C3912039776 # execute ping directregistration.fortinet.com PING directregistration.fortinet.com (208.91.113.68): 56 data bytes 64 bytes from 208.91.113.68: icmp_seq=0 ttl=114 time=177.0 ms 64 bytes from 208.91.113.68: icmp_seq=1 ttl=114 time=176.6 ms 64 bytes from 208.91.113.68: icmp_seq=2 ttl=114 time=175.9 ms 64 bytes from 208.91.113.68: icmp_seq=3 ttl=114 time=176.1 ms 64 bytes from 208.91.113.68: icmp_seq=4 ttl=114 time=175.8 ms --- directregistration.fortinet.com ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 175.8/176.2/177.0 ms FGT40C3912039776 # diag fortitoken info FORTITOKEN DRIFT STATUS FTKMOB45B42EBXXX 0 unknown FTKMOB4517CADXXX 0 unknown Total activated token: 0 Total global activated token: 0 Token server status: reachable
Hi,
here, unlock only after delete both fortitoken mobile
===================
1) Know your mobile tokens as this exemple...
# config user fortitoken
(fortitoken) # show full-configuration
edit "FTKMOB1111111111" <------------------------------- set status active set seed '' set comments '' set license "FTMTRIAL00000000" set activation-code '' set activation-expire 0 next
edit "FTKMOB2222222222" <------------------------------- set status active set seed '' set comments '' set license "FTMTRIAL00000000" set activation-code '' set activation-expire 0 next
end
2) Delete your Two mobile fortitokens...
(fortitoken) # delete FTKMOB1111111111
(fortitoken) # delete FTKMOB2222222222
(fortitoken) # end
3) Exit from "config user fortitoken" and import your two default fortitoken mobile again
# execute fortitoken-mobile import 0000-0000-0000-0000-0000
===================
PRO: unlock sucessfully
PROBLEM: even if only one fortitoken is locked and the others are OK to unlock this unique fortitoken, you must delete all others. If anyone knows how to unlock without having to delete all fortitokens, please share with us.
Hello,
You can unlock a fortitoken without having to delete all the fortitokens. Please find the steps :
For a specific Fortitoken FTKMOBAAAAAAAAAA ,
# config user fortitoken (fortitoken) # edit FTKMOBAAAAAAAAAA FTKMOBAAAAAAAAAA# show full-configuration config user fortitoken edit "FTKMOBAAAAAAAAAA" set status active set seed ' ' set comments ' ' set license "FTMTRIAL00000000" set activation-code "XXXXXXXXXXXXXXXX" set activation-expire ' ' next end (FTKMOBAAAAAAAAAA) # set status lock (FTKMOBAAAAAAAAAA) # end
After the status is set to lock , it will show the status as "Locked" for that specific Fortitoken under User and device > Fortitoken.
You can unlock the same as per the commands below :
#config user fortitoken
(fortitoken) # edit FTKMOBAAAAAAAAAA (FTKMOBAAAAAAAAAA) # show full-configuration config user fortitoken edit "FTKMOBAAAAAAAAAA" set status lock set seed "" set comments '' set license "FTMTRIAL00000000" set activation-code "XXXXXXXXXXXXXXXX" set activation-expire ' ' next end
(FTKMOBAAAAAAAAAA) #set status active (FTKMOBAAAAAAAAAA) # end
Please make sure under system > Config > fortiguard > Fortitoken seed server registration status shows reachable.
Hello,
no no it is wrong way. You can lock in this way, but can't unlock. Fortigate don't accept "set activation-code "xxxx"" which was entered manually.
I can confirm, that in my case worked only solution described in the previous post - only delete of all fortitokens helps..
BR, Ramunas
Hello,
In my previous comment, I have displayed the entire default configuration of mobile fortitoken (free) by entering the command "#Show full-configuration" for understanding and there was no manual entry for the activation-code .
Please note the above test was done on my end only for the Free Mobile tokens.
To be more specific , when the status is "lock" on the Free Mobile token, the only change we make on CLI is :
#config user fortitoken (fortitoken) # edit FTKMOBAAAAAAAAAA
(FTKMOBAAAAAAAAAA) #set status active (FTKMOBAAAAAAAAAA) # end
sdash_FTNT wrote:Hello,
In my previous comment, I have displayed the entire default configuration of mobile fortitoken (free) by entering the command "#Show full-configuration" for understanding and there was no manual entry for the activation-code .
Please note the above test was done on my end only for the Free Mobile tokens.
To be more specific , when the status is "lock" on the Free Mobile token, the only change we make on CLI is :
#config user fortitoken (fortitoken) # edit FTKMOBAAAAAAAAAA
(FTKMOBAAAAAAAAAA) #set status active (FTKMOBAAAAAAAAAA) # end
sdash_FTNT,
all the time when we have this problem, the first procedure are this (like ramunas try to), and don't work every time.
the result here are the same as descript below by ramunas.
ramunas wrote:Thank you for your answer. Set to active don't work. When I set "active" the status become "unknown" in CLI ("error" in GUI). If I set "lock", the status become locked in CLI and GUI)
here, work only when delete the two free fortitoken mobile and "import" again (as descript in my first post)
FortiOS 5.0.9, 5.2.1 and 5.2.2
If Firewall showing User & Device -> FortiTokens -> any Token status is Locked then go to CLI mode. then apply following commands
FW-01 # config user fortitoken FW-01 (fortitoken) # edit <Token Serial Number> FW-01 (<Token Serial Number>) # set status active
Then go to User & Device -> FortiTokens the locked token status will be show as error, (if not showing error then logout and relogin firewall) after status showing error the apply following CLI command
FW-01 # execute fortitoken-mobile renew <Token Serial Number>
Logout and re-login, then you will see status is available.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1561 | |
1034 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.