Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Alpha7
New Contributor III

Fortitoken management from Fortimanager

Hi

One of my customer manage 4 pairs of Fortigate firewalls from Fortimanager. They like to introduce Fortitoken for their remote vpn users. Each pairs will have same VPN users. For easy management, customer is willing to push the users from Fortimanager and having same policy package for all 4 pairs. Administrator can create a user at Fortimanager and push that to all 4 pairs.

 

Question 1: If a user is created on Fortimanager and a Fortitoken is assigned to that user from Fortimanager, I am seeing an error while installing policy package to firewalls since Fortitoken bound to that user can be used on one pair only. is that correct behavior?

 

Question 2: If i create a user without Fortitoken assignment at Fortimanager and push the user to all 4 pairs then assign fortitoken directly from Fortigate, will it trigger a conflict on Fortimanager database since the same user with four different tokens from 4 fortigate pairs going to sync with Fortimanager database?

 

Thanks 

3 REPLIES 3
ergotherego
Contributor II

What you are seeing is expected. When using tokens installed directly on FortiGates, they are locally significant.

 

Your customer would need to:

 

1) Use FortiClient EMS with remote user accounts. That way a single user can have a single token associated with them, and use that token across any number of FortiGates.

2) Use differently named user accounts, each with their own token (one for each firewall). And use unique policy packages on each firewall, referencing the unique user/groups accordingly.

3) Not use FortiManager to manage those FortiGate firewalls.

Alpha7
New Contributor III

Hi 

Thanks for the reply. I thought EMS is for Forticlient management. I couldn't find user/fortitoken settings from EMS. we have decided to go for FortiAuthenticator for user management and Fortimanager to manage the firewalls.So, Fortigates will not hold any users. Single user with a token at FAC can be used by all firewalls for admin and VPN login

 

Thanks

ergotherego

Typo on my part. I did mean FortiAuthenticator for remote token management.

Labels
Top Kudoed Authors