Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.6.1 Administration Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Managing FortiTokens

    Managing FortiTokens

    This section focuses on the following:

    Resending an activation email

    To resend an activation email/SMS for a mobile token on a FortiProxy:
    1. Go to User & Authentication > User Definition and edit the user.
    2. Click Send Activation Code Email from the Two-factor Authentication section.

    Locking/unlocking FortiTokens

    A FortiToken can be associated with only one account on one FortiProxy unit. If a user loses the FortiToken, lock the FortiToken using the FortiProxy unit so it will not be used to falsely access the network. Later if found, you can unlock FortiToken on the FortiProxy unit to allow access once again.

    To change FortiToken status to active or to lock:

    config user fortitoken

    edit <token_serial_num>

    set status <active | lock>

    next

    end

    A user attempting to log in using a locked FortiToken cannot successfully authenticate.

    Managing FortiTokens drift

    If the FortiToken has drifted, the following must take place for the FortiToken to resynchronize with FortiProxy:
    1. FortiProxy prompts the user to enter a second code to confirm.
    2. The user gets the next code from the FortiToken and enters the code at the prompt.
    3. FortiProxy uses both codes to update its clock to match the FortiToken.

    If you still experience clock drift, it may be the result of incorrect time settings on your mobile device. If so, make sure that the mobile device clock is accurate by confirming the network time and the correct timezone.

    If the device clock is set correctly, the issue could be the result of the FortiProxy and FortiTokens being initialized prior to setting an NTP server. This will result in a time difference that is too large to correct with the synchronize function. To avoid this, manually drift adjust the selected tokens.

    To show current drift and status for each FortiToken:

    diagnose fortitoken info

    FORTITOKEN DRIFT STATUS

    FTK200XXXXXXXXXC 0 token already activated, and seed won't be returned

    FTK200XXXXXXXXXE 0 token already activated, and seed won't be returned

    FTKMOBXXXXXXXXXA 0 provisioned

    FTKMOBXXXXXXXXX4 0 new

    Total activated token: 0

    Total global activated token: 0

    Token server status: reachable

    This command lists the serial number and drift for each configured FortiToken. You can check if it is necessary to synchronize the FortiProxy and any particular FortiTokens.

    To adjust Mobile FortiToken for drift:

    # execute fortitoken sync <FortiToken_ID> <token_code1> <next_token_code2>

    Deactivating FortiTokens

    To deactivate FortiToken on a FortiProxy:
    1. Go to User & Authentication > User Definition.
    2. Select and edit the user for which you want to deactivate the token.
    3. Disable the Two-factor Authentication toggle.
    4. Click OK. The token will be removed from the user's Two-factor Authentication column. The user will also be removed from the token's User column under User & Authentication > FortiTokens.

    Moving FortiTokens to another device

    FortiTokens can only be activated on a single FortiProxy or FortiAuthenticator. To move FortiTokens to another device, you would first have to reset the registered FortiTokens on a device and then reactivate them on another device.

    To reset hard tokens registered to a FortiProxy appliance (non-VM model), you can reset all hardware FTK200 tokens from the Support Portal, or during RMA transfer. See the Migrating users and FortiTokens to another FortiProxy KB article, for more information.

    Note

    The above process will reset all hard tokens and you cannot select individual tokens to reset.

    To reset FortiToken Mobile, a single hard token, a hard token registered to a VM, and so on, an administrator must contact Customer Support and/or open a ticket on the Support Portal.

    Once reset, the FortiTokens can be activated on another FortiProxy or FortiAuthenticator.

    Migrate FortiToken Mobile users from FortiProxy to FortiToken Cloud

    You can migrate FortiToken Mobile users from the FortiProxy unit to FortiToken Cloud with a time-based subscription license using the execute fortitoken-cloud migrate-ftm <license> <vdom> command.

    A request must be made to Fortinet Customer Service to initiate and pre-authorize the transfer. All current active FortiToken Mobile users will be migrated to the FortiToken Cloud license with no changes to the FortiToken Mobile serial number. The FortiProxy user or administrator's two-factor setting is automatically converted from fortitoken to fortitoken-cloud. After migration, end users will be able to authenticate as before without any changes to their FortiToken mobile app. See Migrate FTM tokens to FortiToken Cloud for more information.

    Previous
    Next

    Managing FortiTokens

    Managing FortiTokens

    This section focuses on the following:

    Resending an activation email

    To resend an activation email/SMS for a mobile token on a FortiProxy:
    1. Go to User & Authentication > User Definition and edit the user.
    2. Click Send Activation Code Email from the Two-factor Authentication section.

    Locking/unlocking FortiTokens

    A FortiToken can be associated with only one account on one FortiProxy unit. If a user loses the FortiToken, lock the FortiToken using the FortiProxy unit so it will not be used to falsely access the network. Later if found, you can unlock FortiToken on the FortiProxy unit to allow access once again.

    To change FortiToken status to active or to lock:

    config user fortitoken

    edit <token_serial_num>

    set status <active | lock>

    next

    end

    A user attempting to log in using a locked FortiToken cannot successfully authenticate.

    Managing FortiTokens drift

    If the FortiToken has drifted, the following must take place for the FortiToken to resynchronize with FortiProxy:
    1. FortiProxy prompts the user to enter a second code to confirm.
    2. The user gets the next code from the FortiToken and enters the code at the prompt.
    3. FortiProxy uses both codes to update its clock to match the FortiToken.

    If you still experience clock drift, it may be the result of incorrect time settings on your mobile device. If so, make sure that the mobile device clock is accurate by confirming the network time and the correct timezone.

    If the device clock is set correctly, the issue could be the result of the FortiProxy and FortiTokens being initialized prior to setting an NTP server. This will result in a time difference that is too large to correct with the synchronize function. To avoid this, manually drift adjust the selected tokens.

    To show current drift and status for each FortiToken:

    diagnose fortitoken info

    FORTITOKEN DRIFT STATUS

    FTK200XXXXXXXXXC 0 token already activated, and seed won't be returned

    FTK200XXXXXXXXXE 0 token already activated, and seed won't be returned

    FTKMOBXXXXXXXXXA 0 provisioned

    FTKMOBXXXXXXXXX4 0 new

    Total activated token: 0

    Total global activated token: 0

    Token server status: reachable

    This command lists the serial number and drift for each configured FortiToken. You can check if it is necessary to synchronize the FortiProxy and any particular FortiTokens.

    To adjust Mobile FortiToken for drift:

    # execute fortitoken sync <FortiToken_ID> <token_code1> <next_token_code2>

    Deactivating FortiTokens

    To deactivate FortiToken on a FortiProxy:
    1. Go to User & Authentication > User Definition.
    2. Select and edit the user for which you want to deactivate the token.
    3. Disable the Two-factor Authentication toggle.
    4. Click OK. The token will be removed from the user's Two-factor Authentication column. The user will also be removed from the token's User column under User & Authentication > FortiTokens.

    Moving FortiTokens to another device

    FortiTokens can only be activated on a single FortiProxy or FortiAuthenticator. To move FortiTokens to another device, you would first have to reset the registered FortiTokens on a device and then reactivate them on another device.

    To reset hard tokens registered to a FortiProxy appliance (non-VM model), you can reset all hardware FTK200 tokens from the Support Portal, or during RMA transfer. See the Migrating users and FortiTokens to another FortiProxy KB article, for more information.

    Note

    The above process will reset all hard tokens and you cannot select individual tokens to reset.

    To reset FortiToken Mobile, a single hard token, a hard token registered to a VM, and so on, an administrator must contact Customer Support and/or open a ticket on the Support Portal.

    Once reset, the FortiTokens can be activated on another FortiProxy or FortiAuthenticator.

    Migrate FortiToken Mobile users from FortiProxy to FortiToken Cloud

    You can migrate FortiToken Mobile users from the FortiProxy unit to FortiToken Cloud with a time-based subscription license using the execute fortitoken-cloud migrate-ftm <license> <vdom> command.

    A request must be made to Fortinet Customer Service to initiate and pre-authorize the transfer. All current active FortiToken Mobile users will be migrated to the FortiToken Cloud license with no changes to the FortiToken Mobile serial number. The FortiProxy user or administrator's two-factor setting is automatically converted from fortitoken to fortitoken-cloud. After migration, end users will be able to authenticate as before without any changes to their FortiToken mobile app. See Migrate FTM tokens to FortiToken Cloud for more information.

    Previous
    Next