Hi,
Please can it be clarified why the Fortigate firewalls have MFA functionality using email without subscription(free) as opposed to Fortianalyser that only offers the Token subscription based option for MFA(no free version) ?
kind regards
Gavin
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
I think you misunderstood the Fortianalyzer (FAZ) guide - yes, indeed it lists for MFA either FOrtiCLoud or FortiAuthenticator (FAC), BUT ... these are external to the FAZ solutions any way. That is - FAZ itself does not have any MFA built-in. And those listed are just a suggestion (obviously beneficial to the Fortinet (FTNT)). Later in the same guide they tell how to connect your FAZ to other external authentication providers - LDAP/RADIUS, using which you can enable MFA for admins with not only FTNT products, but any other product you already have - Okta/MS/etc.
https://docs.fortinet.com/document/fortianalyzer/7.4.3/administration-guide/681142/radius-servers
As regards Fortigate (FGT) - actually it is the only device (to the best of my knowledge) that has MFA capabilities baked in, as after all it is the perimeter Internet-facing device subjected most to the malicious attempts. FAZ/FMG/etc, on the other hand, you never leave open/accessible to the Internet, but put behind the firewall, and so MFA as built-in feature becomes less of an benefit IMO.
Hi
I guess this is for marketing purpose.
However if you don't have FortiAuthenticator/FortiToken, I think you can do it with third party RADIUS server, I mean you configure RADIUS authentication on your FAZ and configure e-mail OTP on your RADIUS server (if your RADIUS supports it).
Thank you for your reply,
Please can you confirm this solution does not use Fortitokens which are the paid up route ?
On this website on page 25 it refers to tokens ?
Page 25 is about FortiAuthenticator, which as far as I know supports many MFA options, like FortiToken, e-mail, SMS gateway, and I guess (not sure) other third party token solutions.
So the example in page 25 mentions FortiToken but it is not the only possible option.
I think you misunderstood the Fortianalyzer (FAZ) guide - yes, indeed it lists for MFA either FOrtiCLoud or FortiAuthenticator (FAC), BUT ... these are external to the FAZ solutions any way. That is - FAZ itself does not have any MFA built-in. And those listed are just a suggestion (obviously beneficial to the Fortinet (FTNT)). Later in the same guide they tell how to connect your FAZ to other external authentication providers - LDAP/RADIUS, using which you can enable MFA for admins with not only FTNT products, but any other product you already have - Okta/MS/etc.
https://docs.fortinet.com/document/fortianalyzer/7.4.3/administration-guide/681142/radius-servers
As regards Fortigate (FGT) - actually it is the only device (to the best of my knowledge) that has MFA capabilities baked in, as after all it is the perimeter Internet-facing device subjected most to the malicious attempts. FAZ/FMG/etc, on the other hand, you never leave open/accessible to the Internet, but put behind the firewall, and so MFA as built-in feature becomes less of an benefit IMO.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1663 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.