SSL VPN with FortiToken mobile push authentication

This is a sample configuration of SSL VPN that uses FortiToken mobile push two-factor authentication. If you enable push notifications, users can accept or deny the authentication request.

Sample topology

Sample configuration

WAN interface is the interface connected to ISP. This example shows static mode. You can also use DHCP or PPPoE mode. The SSL VPN connection is established over the WAN interface.

To configure SSL VPN using the GUI:
  1. Configure the interface and firewall address. The port1 interface connects to the internal network.
    1. Go to Network > Interfaces and edit the wan1 interface.
    2. Set IP/Network Mask to 172.20.120.123/255.255.255.0.
    3. Edit port1 interface and set IP/Network Mask to 192.168.1.99/255.255.255.0.
    4. Click OK.
    5. Go to Policy & Objects > Address and create an address for internet subnet 192.168.1.0.
  2. Register FortiGate for FortiCare Support:

    To add or download a mobile token on FortiGate, FortiGate must be registered for FortiCare Support. If your FortiGate is registered, skip this step.

    1. Go to Dashboard > Licenses.
    2. Hover the pointer on FortiCare Support to check if FortiCare registered. If not, click it and select Register.
  3. Add FortiToken mobile to FortiGate:

    If your FortiGate has FortiToken installed, skip this step.

    1. Go to User & Authentication > FortiTokens and click Create New.
    2. Select Mobile Token and type in Activation Code.
    3. Every FortiGate has two free mobile tokens. Go to User & Authentication > FortiTokens and click Import Free Trial Tokens.
  4. Enable FortiToken mobile push:

    To use FTM-push authentication, use CLI to enable FTM-Push on the FortiGate.

    1. Ensure server-ip is reachable from the Internet and enter the following CLI commands:
      config system ftm-push
          set server-ip 172.20.120.123
          set status enable
      end
    2. Go to Network > Interfaces.
    3. Edit the wan1