If all traffic coming from the internet destined to the branch office FGT must come through the main office, then you are right - the server name (FQDN or IP) should be an IP on the main office FortiGate. The main office should then have a VIP + a firewall policy configured to DNAT the traffic and send it to the branch office FortiGate.
FGT-branch (ftm-push) # get
server-port : 4433
server-cert : Fortinet_Factory
server-ip : 0.0.0.0
server : x.x.x.x - wan ip of the main office fortigate
status : enable
now when I try to login - I get in mobile application push with deny, and allow action but after clicking yes I get an error: "No data from the server. Please contact administrator"
If I need to configure VIP for this traffic now I see a big problem here, because I have four branch office in total and every should be configured with ftm-push, but this is impossible to create four VIP for one incoming port 4433.
mappedip should point to the interface on the branch FGT with "set allowaccess ftm"(this allows reception of the FTM push responses on the interface).
It could be any arbitrary interface as long as you have the firewall policies to allow it, but I would say that it makes the most sense to pick the interface used to for "WAN" traffic, i.e. the IPsec tunnel towards the hub. This way it matches the natural path of the push-response packets.
Or maybe a loopback even, if you already use those. (don't make one just for FTM push :) )
Finally I leave FTM to go out local branch WAN not through the hub - I think this will be more reliable in case ipsec tunnels problems, and this configuration is working for me even without VIP configuration I only allowed FTM on local WAN. So problem resolved ;)
I was originally going to suggest the same - use the regular WAN link for it and ignore the tunnel, but decided to keep my answer simple. Interesting to see that you changed your mind to this way on your own. :)
Lastly, remember that you can always just type in the 2FA code manually, so the push-response not working for whatever reason is never a production-stopping scenario.
Yes I have question for that I use quite old FortiClient 6.0.10 (and don't want to upgrade because I need to have host checks), but this Forticlient during a connection it give me button "FTM Push" and I have to click that button then I get notification on mobile. Is an way to have default ftm push without need to click this button?
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.