FortiToken Mobile Push

FortiToken Mobile Push allows authentication requests to be sent as push notifications to the end user's FortiToken Mobile application.

The FortiToken Mobile push service operates as follows:

  1. FortiGate sends a DNS query to the FortiToken Mobile Push proxy server (
  2. FortiGate connects to the proxy server via an encrypted connection over TCP/443.
  3. The proxy server handles the notification request by making a TLS connection with either Apple (for iOS) or Google (for Android) notification servers. Notification data may include the recipient, session, FortiGate callback IP and port, and so on.
  4. The notification service from either Apple or Google notifies the user's mobile device of the push request.
  5. The FortiToken Mobile application on the user's mobile displays a prompt for the user to either Approve or Deny the request.

To configure FortiToken Mobile push services using the CLI:

config system ftm-push

set status enable

set server-ip <ip-address>

set server-port [1-65535]


The default server port is 4433.

The server IP address is the public IP address of the FortiOS interface that FortiToken Mobile calls back to. FortiOS uses this IP address for incoming FortiToken Mobile calls.

If an SSL VPN user authenticates with their token, then logs out and attempts to reauthenticate within a minute, a Please wait x seconds to login again message displays. This replaces a previous error/permission denied message. The x value depends on the calculation of how much time is left in the current time step.

config system interface

edit "guest"

set allowaccess ftm




FortiOS supports FortiAuthenticator-initiated FortiToken Mobile Push notifications for users attempting to authenticate through an SSL VPN and/or RADIUS server (with FortiAuthenticator as the RADIUS server).