Admin guide

Introduction
Acronyms and abbreviations
Main features
Licensing and availability
- Time-based subscriptions
- Credit-based subscriptions
  - Transition to time-based subscriptions
- FortiTrust-identity licensing
- SMS licensing
Architecture
Compatibility
- Compatible Fortinet applications
- Supported browsers
Important notes
- Credit-based licenses no longer available for purchase
- Use of non-officially supported FOS
- The same token for the same user on multiple auth clients
- FOS 6.2.3 and 6.4.0 CLI differences
- Admin accounts and realms
- Supported hard tokens
- No SMS MFA with FAC as LDAP server
- A single FTC user in multiple auth clients
- FAC users' name issues on FTC GUI
- How to use FortiClient
- Local vs. global disable/delete
QuickStart guide
FortiToken Mobile
- Supported FortiToken Mobile apps
- Activate FTM tokens
- Activate third-party tokens
- Use FTM tokens
Use cases
- One Token shared by different auth clients
- Change separate tokens to a single token
- Independent token
- Auto-Alias features—Use the same email address
- Split user quota to different realms
- FTC account lockout (2FA)
- Manage access to FTC
- Control risky conditions
- Switch from Fortitoken to FortiToken Cloud (FTC) lockout
- Migrate FTM tokens to FortiToken Cloud
Auth clients
- Getting started—FGT-FTC users
- Getting started—FAC-FTC users
- Transfer auth client (FC account lockout)
- Replace an old FortiGate with a new one
- Auth clients in HA mode
- Synchronize LDAP remote users in wildcard user group from FortiGate
- Email notification on license balance status
Maintenance
- Add, sync, and delete users
- Add, sync, and delete auth clients (devices)
- Service debug
Settings
- Global
- Realm
- Templates
FortiToken Cloud GUI
- Launch FortiToken Cloud
- FortiCloud
- Dashboard
- Administrators
- Users
- Realms
- FortiProducts
- Web Apps
- Devices (HA)
- Mobile Tokens
- Hardware Tokens
- Usage
- Licenses
- Adaptive authentication
- Logs
Product documentation and support
- Create an SMS credit balance alert event
FOS CLI commands for FortiToken Cloud
- Global system configuration
- Access FTC management commands
- Configure admin users
- Configure local users
- Configure local LDAP users for FTC service
- Configure wildcard LDAP users for FTC service
- Configure local RADIUS users for FTC service
- Migrate FTM tokens to FortiToken Cloud
- Diagnose FortiToken Cloud
FAQs
Release history
Technical support
Change log

Home FortiToken Cloud Admin guide

Main features

Copy Link

Copy Doc ID 1843b2fc-5b95-11ed-96f0-fa163e15d75b:636784

Download PDF

Main features

FortiCloud SSO

Integration with FortiCloud provides unified single sign-on (SSO) access to all your Fortinet cloud service offerings.

Free trial licenses

FTC offers 30-day free trial licenses, which can support up to five FTC end-users for FortiCloud Non-premium accounts and up to 25 end-users for FortiCloud Premium accounts. (SMS messages are not included.)

Time-based annual subscriptions

FTC offers time-based subscriptions that are stackable and co-termed, giving you the flexibility to scale up your FTC MFA service with ease.

Authentication and Management logs

FTC provides comprehensive authentication and management logs to keep you informed of all authentication and management events that have happened in your account.

Global administrator and sub-admin support

FTC now enables the global admin to create sub-admin account to better allocate and manage resources across all the accounts under management.

Access to all accounts by admin users

As the global admin, you are able to access all FTC accounts belonging to your organization, choose which of your accounts to open upon login, and switch to any of your other accounts during a session.

Realm support

FTC enables admin users to create realms to effectively allocate resources and better manage their end-users.

Multi-factor authentication (MFA) for FGT and FAC devices

FTC provides a cloud-based MFA solution for all your Fortinet products, such as FortiGate (FGT) and FortiAuthenticator (FAC), and third-party web apps as auth clients.

Integration with FOS 6.2

FTC works seamlessly with FortiOS (FOS) 6.2.x and later.

Support for MFA bypass and new token request

FTC admin users can allow end-uses to bypass MFA and request new tokens on behalf of their end-users easily from the GUI.

Automatic lockout of users for excessive MFA failures

FTC automatically locks out end-users when they have breached their specified MFA failure threshold, ensuring security and integrity of your account.

Temporary token

This new feature allows you to enable your end-users to use temporary tokens for MFA authentication when they do not have their authentication devices with them, while keeping the end-users’ existing authentication methods intact. If an end-user forgets to carry his/her FTM device around and needs to log into the firewall or SSLVPN using MFA, you can enable the temporary token for the user and set the expiration time. The user can log into the firewall or SSLVPN using the temporary token until it expires. The user can get temporary tokens by email or SMS.

Disabling MFA after account disabled

Starting from its 2.5 release, FortiToken Cloud can enable existing users in disabled accounts to bypass MFA. There have been many customer cases when users are locked out due to expired licenses or exceeded quotas. With this feature, you are able to delete users by performing a user sync or delete a particular user. In the portal, you are able to change user settings including bypass MFA. After MFA is bypassed, auth requests should succeed.

Secure, cross-platform token transfer

You can securely transfer your FTC and third-party tokens between iOS and Android devices using the FortiToken Mobile (FTM) app.

Support for remote FortiGate users

You can configure FortiGate wildcard LDAP users to use FTC for MFA.

Auto log-out

FTC automatically logs out a user when the GUI has been idle for more than ten minutes, safeguarding the security and integrity of your asset on FTC.

Real-time usage statistics

The administrator can view daily, monthly, and current usage data easily from the GUI.

Support for HA clusters

FTC supports FGT and FAC HA cluster configuration. You can add or remove auth devices to or from the FTC portal. You can view your FGT and/or FAC devices in any cluster from the Auth Clients page.

Support for custom logo

The admin user can upload custom logo images to replace the default Fortinet banner at the bottom of the FTM app on your end-users' mobile devices.

Support for multiple MFA options

FTC offers four MFA methods: FTM (FortiToken Mobile), email, SMS, and FTK (FortiToken, which is a hardware token).

Auto-alias by email

Many FTC end-users have different usernames in different applications and different domains. For the same token, a single FTC user may have different usernames in different FTC auth clients. FTC now allows for different usernames to be attributed to the same user (i.e., same person) so that only one token (FTM or FTK) needs to be assigned to that same user. It does this by providing an Auto-alias by Email option, which, once turned on, enables FTC to automatically put usernames into an alias if they use the same email address.

Realm-based user quota

The global admin of an account with a time-based license can allocate user quota by realm to effectively manage their assets and end-users.

If you are an MSSP (Managed Security Service Provider), you can split out your user quota to sub-accounts. Sub-account holders can create their own passwords and have their private login portal. They can use MFA, bypass, block, and realm configurations to manage their own end-users. The MSSP can manage all your sub-accounts using the FortiToken Cloud portal.

Export of logs in .CSV

You can export FTC authentication and management logs in .CSV format for record-keeping and sharing.

SMS usage

The SMS Log page enables you to view your SMS usage.

Migration of FTM licenses to FTC

Starting from FOS 7.0.5, FTM licenses and their users on FortiGate can be seamlessly migrated to FTC without any user token change.