FortiAuthenticator provides access management and single sign on.
Article Id 193822



This article describes that as a part of two-factor authentication and the push notification flow, the FortiToken Mobile app needs to communicate directly with FortiAuthenticator using REST API.

FortiAuthenticator needs to be publicly accessible over the internet for this, and so in certain scenarios, it is recommended to protect as much as possible the FortiAuthenticator access. 

Related documents:
FortiAuthenticator REST API – Push authentication response (/pushauthresp/).
FortiOS Web Application Firewall – Web application firewall.



This article does not cover the initial setup for two-factor authentication with push notifications and assumes that this feature is already functioning in the environment.



The best way to protect it is to create a waf profile using a 'default' profile and blocking all 'Extended' signatures with 'high' severity:




Enable the new WAF profile in the corresponding policy that is used to process traffic from the FortiToken Mobile app to the FortiAuthenticator.
Note that the policy (or the VDOM in earlier versions of FortiOS) has to be set to proxy inspection mode, and deep SSL inspection needs to be applied as well (required due to the traffic using encrypted HTTPS).


config firewall policy
    edit 123
        set name "FAC push response"
        set srcintf "<internet-facing interface>"
        set dstintf "<local interface towards FAC>"
        set srcaddr "all"
        set dstaddr "<VIP object for accessing FAC>"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set utm-status enable <===
        set inspection-mode proxy <===
        set ssl-ssh-profile "FAC_push" <===where this profile would have the FAC certificate imported
        set waf-profile "fac_push" <===profile created



This could be tested, by changing the username and password for some random values:

https://<server IP>/index.php?username=1'%20or%20'1'%20=%20'1&password=1'%20or%20'1'%20=%20'1http://...


This will generate WAF events which will show this profile is working and the result will be blocking traffic.


Finally, verify that actual push notifications are still functional by performing real two-factor authentication that includes a push notification. (e.g. SSL-VPN login).


Related articles:

Technical Tip: Best practices on hardening FortiAuthenticator environments

Troubleshooting Tip: Preventing the 'Untrusted Certificate' message during FortiTokenMobile communic...