Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Tutek
Contributor

FTM Push configuration for branch office

Hello,

how should I configure ftm push feature for branch office with RIA - remote internet access through main office fortigate, the diagram is as below:

Tutek_0-1670486205458.png

Tutek_1-1670486224074.png

 

FGT-branch # config sys ftm-push

FGT-branch (ftm-push) # get
server-port : 4433
server-cert : Fortinet_Factory
server-ip : 0.0.0.0
server :
status : disable

FGT-branch (ftm-push) # set status enable

FGT-branch (ftm-push) # end
Missing server address.
object check operator error, -56, discard the setting
Command fail. Return code -56

 

As I understand I need to configure on branch main office's WAN IP in the ftm-push settings, because ftp-push call will arrive at the main office WAN then should be route back to 80F - right?

11 REPLIES 11
pminarik
Staff
Staff

If all traffic coming from the internet destined to the branch office FGT must come through the main office, then you are right - the server name (FQDN or IP) should be an IP on the main office FortiGate. The main office should then have a VIP + a firewall policy configured to DNAT the traffic and send it to the branch office FortiGate.

[ corrections always welcome ]
Tutek
Contributor

so I have configured ftm-push on branch1

FGT-branch (ftm-push) # get
server-port         : 4433
server-cert         : Fortinet_Factory 
server-ip           : 0.0.0.0
server              : x.x.x.x - wan ip of the main office fortigate 
status              : enable 

now when I try to login - I get in mobile application push with deny, and allow action but after clicking yes I get an error: "No data from the server. Please contact administrator"

If I need to configure VIP for this traffic now I see a big problem here, because I have four branch office in total and every should be configured with ftm-push, but this is impossible to create four VIP for one incoming port 4433.

pminarik

You can set each branch FGT to use a different port, then use that port in their VIPs. It is not mandatory to keep it at 4433.

[ corrections always welcome ]
Tutek
Contributor

so if this is possible, then I create VIP rule on central 200F fortigate:

source (wan1) - the same as configured as server in ftm-push on branch,

external ip -0.0.0.0/0

mapped ip - what I sould put here, wan ip of the branch, lan ip of the branch?

 

Port forwarding:

external 4433

map to 4433

pminarik

mappedip should point to the interface on the branch FGT with "set allowaccess ftm"(this allows reception of the FTM push responses on the interface).

It could be any arbitrary interface as long as you have the firewall policies to allow it, but I would say that it makes the most sense to pick the interface used to for "WAN" traffic, i.e. the IPsec tunnel towards the hub. This way it matches the natural path of the push-response packets.

 

Or maybe a loopback even, if you already use those. (don't make one just for FTM push :) )

[ corrections always welcome ]
Tutek
Contributor

Finally I leave FTM to go out local branch WAN not through the hub - I think this will be more reliable in case ipsec tunnels problems, and this configuration is working for me even without VIP configuration I only allowed FTM on local WAN. So problem resolved ;)

pminarik

I was originally going to suggest the same - use the regular WAN link for it and ignore the tunnel, but decided to keep my answer simple. Interesting to see that you changed your mind to this way on your own. :)

 

Lastly, remember that you can always just type in the 2FA code manually, so the push-response not working for whatever reason is never a production-stopping scenario.

[ corrections always welcome ]
Tutek

Yes I have question for that I use quite old FortiClient 6.0.10 (and don't want to upgrade because I need to have host checks), but this Forticlient during a connection it give me button "FTM Push" and I have to click that button then I get notification on mobile. Is an way to have default ftm push without need to click this button?

Tutek_0-1670496146484.png

 

pminarik

This is fully in control of the client, so you will have to upgrade it.

(or "hack" it yourself into doing it, but that's less realistic :) )

[ corrections always welcome ]
Labels
Top Kudoed Authors