Migrating FortiToken Mobile users from FortiOS to FortiToken Cloud 7.0.4
The execute fortitoken-cloud migrate-ftm <license> <vdom>
command allows the migration of FortiToken Mobile users from FortiOS to FortiToken Cloud. The FortiToken Cloud account must be using a time-based subscription license. A request must be made to Fortinet Customer Service to initiate and pre-authorize the transfer. All current active FortiToken Mobile users will be migrated to the FortiToken Cloud license with no changes to the FortiToken Mobile serial number. The FortiOS user or administrator's two-factor setting is automatically converted from fortitoken
to fortitoken-cloud
. After migration, end users will be able to authenticate as before without any changes to their FortiToken mobile app.
To migrate FortiToken Mobile users from FortiOS to FortiToken Cloud:
- Ensure that the network communication to the FortiToken Cloud server is working and that the FortiGate has a valid time-based license:
# execute fortitoken-cloud show FortiToken Cloud service status: licensed, service ready. Service balance: 100.00 users. Expiration date: 2023-01-21. Customer ID: *******.
- Obtain the FortiToken Mobile license number you want to migrate. For example:
show user fortitoken FTKMOB21******** config user fortitoken edit "FTKMOB21********" set license "EFTM00**********" set activation-code **************** set activation-expire 1643060275 set reg-id ********** set os-ver "5.3.0_IOS" next end
There is one active FortiToken Mobile user with two-factor authentication, ftm-mig1, that will be migrated:
show system admin ftm-mig1 config system admin edit "ftm-mig1" set accprofile "super_admin" set vdom "vdom1" set two-factor fortitoken set fortitoken "FTKMOB21********" set email-to "*****@fortinet.com" set password **************** next end
- Send a pre-authorization request to Fortinet Customer Service that contains the FortiGate serial number and FortiToken Mobile license (see Migrate FTM tokens to FortiToken Cloud for more details). Continue the migration process once you receive the migration flag from Customer Service.
- Start the migration process:
# execute fortitoken-cloud migrate-ftm EFTM00********** root Warning: Please acknowledge that once the license and its tokens are migrated to FortiToken Cloud - The original FTM license gets invalidated and it cannot be reversed. - You will switch from perpetual to annual subscription license. Please contact customer support to get the migration pre-authorization and backup your FortiGate configuration! Ready to proceed? (y/n)y
A message appears once the migration is complete:
1: Converted admin(ftm-mig1) for license(EFTM00**********) in vdom(root) License(EFTM00**********) in VDOM(root): Total 1 admin/local user(s) converted to two-factor Fortitoken-Cloud! fas_migrate_token_clear[667]: Deleted token(FTKMOB22********) and license(EFTM00**********) in vdom(root) configuration fas_migrate_token_clear[667]: Deleted token(FTKMOB22********) and license(EFTM00**********) in vdom(root) configuration fas_migrate_token_clear[667]: Deleted token(FTKMOB21********) and license(EFTM00**********) in vdom(root) configuration fas_migrate_token_clear[667]: Deleted token(FTKMOB22********) and license(EFTM00**********) in vdom(root) configuration fas_migrate_token_clear[667]: Deleted token(FTKMOB22********) and license(EFTM00**********) in vdom(root) configuration
All FortiToken Mobile tokens are no longer valid.
To verify the user status after migration:
# diagnose fortitoken-cloud show service FortiToken Cloud service status: licensed, service ready. Service balance: 105.00 users. Expiration date: 2023-01-24. Customer ID: *******. FortiToken Cloud account number of users: 1, max number of users: 105.
To verify that all users were migrated successfully:
- Run the diagnostic command:
# diagnose fortitoken-cloud show users Number of users in fortitoken cloud: 1 1: username:ftm-mig1 vdom:#FOS_Administrator email:*****@fortinet.com phone: realm:default userdata:0
- Verify the user account. The two-factor setting authentication setting has changed to FortiToken Cloud:
config system admin edit "ftm-mig1" set accprofile "super_admin" set vdom "root" set two-factor fortitoken-cloud set email-to "*****@fortinet.com" set password **************** next end
To verify the migration status in FortiToken Cloud:
- Log in to the FortiToken Cloud server (ftc.fortinet.com).
- In the tree menu, click the Users tab. The ftm-mig1 user appears and the serial number (Token SN) remains the same.