Troubleshooting and diagnosis

This section contains some common scenarios for FortiTokens troubleshooting and diagnosis:

FortiToken Statuses

When troubleshooting FortiToken issues, it is important to understand different FortiToken statuses. FortiToken status may be retrieved either from the CLI or the GUI, with a slightly different naming convention.

Before you begin, verify that the FortiGate has Internet connectivity and is also connected to both the FortiGuard and registration servers:

# execute ping

# execute ping

# execute ping


The server is the Fortinet Anycast server added in FortiOS 6.4.2.

If there are connectivity issues, retrieving FortiToken statuses or performing FortiToken activation could fail. Therefore, troubleshoot connectivity issues before continuing.

To retrieve FortiToken statuses:
  • In the CLI:

    # diagnose fortitoken info

  • In the GUI:

    Go to User & Authentication > FortiTokens.

Various FortiToken statuses in either the CLI or the GUI may be described as follows:






Newly added, not pending, not activated, not yet assigned.



Assigned to a user, hardware token.



Assigned to a user and waiting for activation on the FortiToken Mobile app.



Assigned to user and activated on the FortiToken Mobile app.

provision timeout


Token provided to user but not activated on the FortiToken Mobile app. To fix, the token needs to be re-provisioned and activated in time.

token already activated, and seed won't be returned


Token is locked by FortiGuard FDS. The hardware token was already activated on another device and locked by FDS.



Either manually locked by an Administrator (set status lock), or locked automatically, for example, when the token is unassigned and the FortiCare FTM provisioning server was unreachable to process that change.

Recovering trial FortiTokens

You can recover trial FortiTokens if deleted from a FortiGate, or if stuck in a state where it is not possible to provision to a user.

When a token is stuck in an unusual state or with errors, delete the FortiTokens from the unit and proceed to recover trial FortiTokens.

To recover trial tokens via the GUI:
  1. Go to User & Authentication > FortiTokens.
  2. Click the Import Free Trial Tokens button at the top. The two free trial tokens are recovered.
To recover trial tokens via the CLI:

# execute fortitoken-mobile import 0000-0000-0000-0000-0000

  • Before attempting to recover the trial tokens, both the tokens should be deleted from the unit first.
  • If VDOMs are enabled, trial tokens are in the management VDOM (root by default).
Following error codes might come up in the CLI:
  • If the device is not registered:

    # execute fortitoken-mobile import 0000-0000-0000-0000-0000

    import fortitoken license error: -7571

  • If the serial number format is incorrect:

    # execute fortitoken-mobile import 0000-0000-0000-0000-00

    import fortitoken license error: -7566

Recovering lost Administrator FortiTokens

If an Administrator loses their FortiToken or the FortiToken is not working, they will not be able to log into the admin console through the GUI or the CLI. If there is another Administrator that can log into the device, they may be able to reset the two-factor settings configured for the first Administrator, or create a new Admin user for them. Note that a super_admin user will be able to edit other admin user settings, but a prof_admin user will not be able to edit super_admin settings.

In the case where there are no other administrators configured, the only option is to flash format the device and reload a backup config file. You must have console access to the device in order to format and flash the device. It is recommended to be physically on site to perform this operation.


The process of resetting an Admin user password using the maintainer account cannot be used to reset or disable two-factor authentication.

Before formatting the device, verify that you have a backup config file. You may or may not have the latest config file backed up, though you should consider using a backed up config file, and reconfigure the rest of the recent changes manually. Otherwise, you may need to configure your device starting from the default factory settings.

To recover lost Administrator FortiTokens:
  1. If you have a backed up config file:
    1. Open the config file and search for the specific admin user. For representational purposes we will use Test in our example.

      # edit "Test"

      set accprofile "super_admin"

      set vdom "root"

      set two-factor fortitoken

      set fortitoken "FTKXXXXXXXXXX"

      set email-to ""

      set password *********



    2. Once you find the settings for the Test user, delete the fortitoken-related settings:

      # edit "Test"

      set accprofile "super_admin"

      set vdom "root"

      set password *********



  2. Format the boot device during a maintenance window and reload the firmware image using instructions in the Formatting and loading FortiGate firmware image using TFTP KB article.