This article describes the necessary procedure to migrate FortiTokens (hardware and mobile) to a new FortiGate or FortiAuthenticator.
Possible scenarios for user and Token migrations can be for example:
- Switching to a different FortiGate.
- RMA replacement of a failed unit.
- Migrating two factors authentication from FortiGate to FortiAuthenticator.
By design, FortiTokens (except the hardware FortiToken-211 and FortiToken-300 series) are always linked to the serial number of the unit on which they are activated.
In any situation where tokens are moved to another unit, the Token license (Mobile Tokens) or Token seed (Hardware Tokens) needs to be transferred and manually added to the new unit.
This involves deleting all tokens on the old unit and recreating the tokens on the new unit, and assigning all tokens to users again.
Note: If a migration involves moving from a VM to another VM (FortiGate VM to FortiGate VM, or FortiAuthenticator VM to FortiAuthenticator VM), and the VM serial number stays the same, the below is NOT required; the configuration simply needs to be migrated in full. The steps following below are necessary when the device's serial number changes!
If FortiToken Mobile licenses need to be moved, this is done via a ticket to Fortinet Customer Service; the ticket should include the old and new device's serial numbers, along with the FortiToken license serial number itself.
If hardware FortiTokens are moved, this can be done by Technical Support through a ticket as well; the ticket needs to include the FortiToken serial numbers in question.
FTK-211 series tokens differ a bit - the seed files are not in Fortinet's possession, but instead stored on a CD that is shipped along with the hardware tokens. To move the tokens to a new unit requires the CD with seed files.
Note: FortiGates and FortiAuthenticators come with two free trial mobile tokens.
These tokens cannot be moved; it is distinguishabled in that the associated license looks something like FTMTRIALxxxxxxxxxx.
Preparation: User Migration.
FortiTokens are usually assigned to local users on FortiGate (with password stored locally or on LDAP).
If the migration should also include user accounts, then there are three options:
- if the new model to be migrated to is the same model and firmware version as the old FortiGate (an RMA replacement for example), a configuration backup can be taken from the old unit and simply restored on the new unit. This will recreate all user accounts from the old FortiGate on the new one
- if the new FortiGate to be migrated to is a different model/firmware version, and the full configuration should be migrated, then the FortiConverter service may be used; there are one-time uses and subscriptions available for this; more information can be requested from the Fortinet Sales department
- if only the user accounts should be migrated, they can be extracted from the old FortiGate's configuration file as follows:
1) Open the configuration file in a text editor
2) Copy the whole 'config user local' part
3) Paste this into a new file
4) Remove the lines containing 'two-factor' and 'fortitoken' from every user entry
5) Connect to the new device via CLI
6) Paste the modified 'config user local' lines; they should be interpreted as proper CLI commands and recreate the local users (including passwords)
Alternatively, to import only the user list, the whole 'config user local' part can be extracted and in a text editor remove the lines containing 'two-factor' and 'fortitoken' and to import them via CLI.
The usual local user with an assigned token is in the following format:
# config user local
set type password
set two-factor fortitoken
set fortitoken "FTKMOB*******"
set email-to "email@example.com"
set sms-phone "+123456789"
set passwd-time 2019-05-25 22:13:28
set passwd ENC *******
Note: the lines with 'two-factor and 'fortitoken' need to be stripped because FortiTokens cannot simply be migrated as part of the FortiGate configuration, due to the licence/seeds being bound to the old serial number and needing to be associated with the new serial number first.
This association with the new serial number may fail if the token serial numbers already exist in the new configuration!
Users from FortiAuthenticator cannot be migrated to FortiGate directly; FortiAuthenticator users can only be exported in csv format which FortiGate can't parse. In that case, users will need to be created manually on FortiGate in some manner.
After the FortiToken licenses have been transferred to the new unit and hardware FortiTokens have been reset (meaning the seeds are marked as available again and can be downloaded by the new FortiGate), the FortiTokens need to be imported into the FortiGate:
1) Delete all Tokens from the old unit.
In the GUI:
Go to User&Device -> FortiTokens and select 'all Mobile Tokens' and select the 'Delete' button.
2) Register the EFTM (FortiToken Mobile) license on the new FortiGate to create all related tokens on the new unit.
The license needs to be manually added to the FortiGate after which FortiGuard checks in the background if the added FortiToken license is valid for the FortiGate in question.
- Locate the 20-digit code on the redemption certificate for the license: EFTMXXXXXXXX.
- Go to User & Device -> FortiTokens and select 'Create New'.
- Select 'Mobile Token', and enter the 20-digit certificate code in the Activation Code box.
- Select 'OK'.