Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.2.12 Administration Guide
    7.2.12
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Troubleshooting and diagnosis

    Troubleshooting and diagnosis

    This section contains some common scenarios for FortiTokens troubleshooting and diagnosis:

    FortiToken Statuses

    When troubleshooting FortiToken issues, it is important to understand different FortiToken statuses. FortiToken status may be retrieved either from the CLI or the GUI, with a slightly different naming convention.

    Before you begin, verify that the FortiProxy has Internet connectivity and is also connected to both the FortiGuard and registration servers:

    # execute ping fds1.fortinet.com

    # execute ping directregistration.fortinet.com

    # execute ping globalftm.fortinet.net

    If there are connectivity issues, retrieving FortiToken statuses or performing FortiToken activation could fail. Therefore, troubleshoot connectivity issues before continuing.

    To retrieve FortiToken statuses:
    • In the CLI:

      # diagnose fortitoken info

    • In the GUI:

      Go to User & Authentication > FortiTokens.

    The FortiToken can be in the following statuses:

    CLI

    GUI

    Description

    new

    Available

    Newly added, not pending, not activated, not yet assigned.

    active

    Assigned

    Assigned to a user, hardware token.

    provisioning

    Pending

    Assigned to a user and waiting for activation on the FortiToken Mobile app.

    provisioned

    Assigned

    Assigned to user and activated on the FortiToken Mobile app.

    provision timeout

    Token provided to user but not activated on the FortiToken Mobile app. To fix, the token needs to be re-provisioned and activated in time.

    token already activated, and seed won't be returned

    Error

    Token is locked by FortiGuard FDS. The hardware token was already activated on another device and locked by FDS.

    locked

    Either manually locked by an Administrator (set status lock), or locked automatically, for example, when the token is unassigned and the FortiCare FTM provisioning server was unreachable to process that change.
    Note

    Recovering lost Administrator FortiTokens

    If an Administrator loses their FortiToken or the FortiToken is not working, they will not be able to log into the admin console through the GUI or the CLI. If there is another Administrator that can log into the device, they may be able to reset the two-factor settings configured for the first Administrator, or create a new Admin user for them. Note that a super_admin user will be able to edit other admin user settings, but a prof_admin user will not be able to edit super_admin settings.

    In the case where there are no other administrators configured, the only option is to flash format the device and reload a backup config file. You must have console access to the device in order to format and flash the device. It is recommended to be physically on site to perform this operation.

    Before formatting the device, verify that you have a backup config file. You may or may not have the latest config file backed up, though you should consider using a backed up config file, and reconfigure the rest of the recent changes manually. Otherwise, you may need to configure your device starting from the default factory settings.

    To recover lost Administrator FortiTokens:
    1. If you have a backed up config file:
      1. Open the config file and search for the specific admin user. For representational purposes we will use Test in our example.

        # edit "Test"

        set accprofile "super_admin"

        set vdom "root"

        set two-factor fortitoken

        set fortitoken "FTKXXXXXXXXXX"

        set email-to "admin@email.com"

        set password *********

        next

        end

      2. Once you find the settings for the Test user, delete the fortitoken-related settings:

        # edit "Test"

        set accprofile "super_admin"

        set vdom "root"

        set password *********

        next

        end

    2. Format the boot device during a maintenance window and reload the firmware image using instructions in Formatting and loading FortiProxy firmware image using TFTP.
    3. Once the reload is complete, log into the admin console from the GUI using the default admin user credentials, and go to Configuration > Restore from the top right corner to reload your config file created in Step 1 above.
    4. Once the FortiProxy reboots and your configuration is restored, you can log in with your admin user credentials.
    Previous
    Next

    Troubleshooting and diagnosis

    Troubleshooting and diagnosis

    This section contains some common scenarios for FortiTokens troubleshooting and diagnosis:

    FortiToken Statuses

    When troubleshooting FortiToken issues, it is important to understand different FortiToken statuses. FortiToken status may be retrieved either from the CLI or the GUI, with a slightly different naming convention.

    Before you begin, verify that the FortiProxy has Internet connectivity and is also connected to both the FortiGuard and registration servers:

    # execute ping fds1.fortinet.com

    # execute ping directregistration.fortinet.com

    # execute ping globalftm.fortinet.net

    If there are connectivity issues, retrieving FortiToken statuses or performing FortiToken activation could fail. Therefore, troubleshoot connectivity issues before continuing.

    To retrieve FortiToken statuses:
    • In the CLI:

      # diagnose fortitoken info

    • In the GUI:

      Go to User & Authentication > FortiTokens.

    The FortiToken can be in the following statuses:

    CLI

    GUI

    Description

    new

    Available

    Newly added, not pending, not activated, not yet assigned.

    active

    Assigned

    Assigned to a user, hardware token.

    provisioning

    Pending

    Assigned to a user and waiting for activation on the FortiToken Mobile app.

    provisioned

    Assigned

    Assigned to user and activated on the FortiToken Mobile app.

    provision timeout

    Token provided to user but not activated on the FortiToken Mobile app. To fix, the token needs to be re-provisioned and activated in time.

    token already activated, and seed won't be returned

    Error

    Token is locked by FortiGuard FDS. The hardware token was already activated on another device and locked by FDS.

    locked

    Either manually locked by an Administrator (set status lock), or locked automatically, for example, when the token is unassigned and the FortiCare FTM provisioning server was unreachable to process that change.
    Note

    Recovering lost Administrator FortiTokens

    If an Administrator loses their FortiToken or the FortiToken is not working, they will not be able to log into the admin console through the GUI or the CLI. If there is another Administrator that can log into the device, they may be able to reset the two-factor settings configured for the first Administrator, or create a new Admin user for them. Note that a super_admin user will be able to edit other admin user settings, but a prof_admin user will not be able to edit super_admin settings.

    In the case where there are no other administrators configured, the only option is to flash format the device and reload a backup config file. You must have console access to the device in order to format and flash the device. It is recommended to be physically on site to perform this operation.

    Before formatting the device, verify that you have a backup config file. You may or may not have the latest config file backed up, though you should consider using a backed up config file, and reconfigure the rest of the recent changes manually. Otherwise, you may need to configure your device starting from the default factory settings.

    To recover lost Administrator FortiTokens:
    1. If you have a backed up config file:
      1. Open the config file and search for the specific admin user. For representational purposes we will use Test in our example.

        # edit "Test"

        set accprofile "super_admin"

        set vdom "root"

        set two-factor fortitoken

        set fortitoken "FTKXXXXXXXXXX"

        set email-to "admin@email.com"

        set password *********

        next

        end

      2. Once you find the settings for the Test user, delete the fortitoken-related settings:

        # edit "Test"

        set accprofile "super_admin"

        set vdom "root"

        set password *********

        next

        end

    2. Format the boot device during a maintenance window and reload the firmware image using instructions in Formatting and loading FortiProxy firmware image using TFTP.
    3. Once the reload is complete, log into the admin console from the GUI using the default admin user credentials, and go to Configuration > Restore from the top right corner to reload your config file created in Step 1 above.
    4. Once the FortiProxy reboots and your configuration is restored, you can log in with your admin user credentials.
    Previous
    Next