Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Fortitoken Migration and testing

Hi All, 


I have a client with a 100D HA cluster, over an expensive MPLS network servicing two sites from a Data Centre. 


Now due to financial constraints, they are migrating away from this configuration to a single 100D per site (only 2 sites) and local fiber breakout. 


So as part of the plan to migrate them to new services, we have loaned the customer 2x 100D's to implement the new fiber connections and test the network. 


Now they have about 100 Fortitokens and when we commission the new links, the customer wants to test the SSLVPN and associated fortitokens on the new connection and ensure that everything is going well before we cut them over. 


Our current cutover strategy is simply get the configuration right in the loan 100D's, backup the configuration and restore to the customers original 100D's, when we decide to cut over. 


The loaners that we have implemented, have the configuration restored from the HA cluster and we have modified them to work with local fiber breakout. This way we dont need to recreate all the rules, just modified the interfaces.



Both the production and loaners, have the same firmware and hardware. 


So the loaners have all tokens on them after a configuration restore and they are currently "Available" and associated with a user. 


So I am looking for a strategy for migrating the fortitokens for both testing and production to the customers original 100D at the head office. 


I did some research and found that I might need to reprovision the tokens? So does that involve resetting every VPN client into my customer? Which I am trying to avoid as the customers original 100D will be the production firewall at the head office.


With the current plan/configuration, if we simply redirect the users SSL VPN to the loaner for testing, will we need to do anything for the tokens? or will it just work considering we have restored configurations? 


And when we do the cut over and restore the golden configuration, are we going to need to re-provision fortitokens for all remote users? Or will it be happy as the tokens are already associated to the original fortigate?


Does anyone have any advice that may help us to avoid touching individual machines and redeploying fortitokens to 100 users? 


Any help would be appreciated. 




Top Kudoed Authors