Hello,
how should I configure ftm push feature for branch office with RIA - remote internet access through main office fortigate, the diagram is as below:
FGT-branch # config sys ftm-push
FGT-branch (ftm-push) # get
server-port : 4433
server-cert : Fortinet_Factory
server-ip : 0.0.0.0
server :
status : disable
FGT-branch (ftm-push) # set status enable
FGT-branch (ftm-push) # end
Missing server address.
object check operator error, -56, discard the setting
Command fail. Return code -56
As I understand I need to configure on branch main office's WAN IP in the ftm-push settings, because ftp-push call will arrive at the main office WAN then should be route back to 80F - right?
If all traffic coming from the internet destined to the branch office FGT must come through the main office, then you are right - the server name (FQDN or IP) should be an IP on the main office FortiGate. The main office should then have a VIP + a firewall policy configured to DNAT the traffic and send it to the branch office FortiGate.
so I have configured ftm-push on branch1
FGT-branch (ftm-push) # get
server-port : 4433
server-cert : Fortinet_Factory
server-ip : 0.0.0.0
server : x.x.x.x - wan ip of the main office fortigate
status : enable
now when I try to login - I get in mobile application push with deny, and allow action but after clicking yes I get an error: "No data from the server. Please contact administrator"
If I need to configure VIP for this traffic now I see a big problem here, because I have four branch office in total and every should be configured with ftm-push, but this is impossible to create four VIP for one incoming port 4433.
You can set each branch FGT to use a different port, then use that port in their VIPs. It is not mandatory to keep it at 4433.
so if this is possible, then I create VIP rule on central 200F fortigate:
source (wan1) - the same as configured as server in ftm-push on branch,
external ip -0.0.0.0/0
mapped ip - what I sould put here, wan ip of the branch, lan ip of the branch?
Port forwarding:
external 4433
map to 4433
mappedip should point to the interface on the branch FGT with "set allowaccess ftm"(this allows reception of the FTM push responses on the interface).
It could be any arbitrary interface as long as you have the firewall policies to allow it, but I would say that it makes the most sense to pick the interface used to for "WAN" traffic, i.e. the IPsec tunnel towards the hub. This way it matches the natural path of the push-response packets.
Or maybe a loopback even, if you already use those. (don't make one just for FTM push :) )
Finally I leave FTM to go out local branch WAN not through the hub - I think this will be more reliable in case ipsec tunnels problems, and this configuration is working for me even without VIP configuration I only allowed FTM on local WAN. So problem resolved ;)
I was originally going to suggest the same - use the regular WAN link for it and ignore the tunnel, but decided to keep my answer simple. Interesting to see that you changed your mind to this way on your own. :)
Lastly, remember that you can always just type in the 2FA code manually, so the push-response not working for whatever reason is never a production-stopping scenario.
Created on 12-08-2022 02:39 AM Edited on 12-08-2022 02:42 AM
Yes I have question for that I use quite old FortiClient 6.0.10 (and don't want to upgrade because I need to have host checks), but this Forticlient during a connection it give me button "FTM Push" and I have to click that button then I get notification on mobile. Is an way to have default ftm push without need to click this button?
This is fully in control of the client, so you will have to upgrade it.
(or "hack" it yourself into doing it, but that's less realistic :) )
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.