Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Transfer fortitoken licenses

Currently I have fortigate 600c cluster. I'm going to buy 300E cluster. Is it possible to move Fortitoken mobile and fortitoken hard licenses from 600c  to new cluster ?

And what about  existing users,  will they need reactivate fortitokens on they phones ?


Contributor II



Just check the post . 








Q&A: Can you transfer FortiTokens from one FortiGate device to another?  The answer is yes. You can request the tokens to be transferred by creating a ticket to Customer Service (not the Technical Help-desk) and asking for tokens A to be transferred from FortiGate B to FortiGate C.   I think you need to reassign the token again to users .   Regds,   Ashik




Just to correct a bit to already good answer.


Salas mentioned two token models/types, FortiToken Mobile and hard, which could be FortiToken models 200, 220 or FortiToken 200-CD (serial numbers starts FTK211).


From functional  standpoint we can divide those to 3 types of tokens and move method depends on the type:


1. FortiToken Mobile

- licensed, license transfer need to be done by Fortinet CSS (Customer Service, not Technical Assistance as TAC has no tools to manage/change/move licenses) and ask for license transfer. Tokens then will be moved (whole pack tied to license so 5,10,100 tokens), making them useless on old FortiGate and working only on new FortiGate.


2. FortiToken 200 models bonded to FortiGuard

- those are FTK200* and FTK220* models (not FTK211 the CD model). Those are not licensed, but upon the activation every single token is bonded and locked to serial number of the FortiGate unit. Those are not packed and can be moved/divided separately one-by-one. As those are locked (one-time-activation-lock) during activation, the lock need to be released and then token can be activated from another unit. Activation mean data exchange between FortiGate and FortiGuard. Once FortiGate has data it needs no contact with FortiGuard to keep token working on this unit. So you can move config parts or better as Fortinet Technical-Assistance to unlock the specified (or all registered from old FortiGate) tokens which will give you ability to activate those on new FortiGate. Then you can end up with tokens working on both units in paralel.


3. FortiToken 200-CD

- this is model specifically  made for walled-garden inner-sanctum kind of deployments where you need tokens byt those cannot contact any outer resources, or you do not want any of token data (seed) to be stored on any outer resource, even FortiGuard. So those models are distributed with CD containing encrypted data for tokens to work. And this makes move of those tokens much easier as you can activate them from any number of FortiGate units you want at any time without any assistance from Customer Services or Technical Assistance centers. All you need is to keep CD well protected, because once lost, all tokens are lost.


Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

Top Kudoed Authors