Migrate FTM tokens from FortiAuthenticator

An FortiAuthenticator (FAC) administrator can migrate FTM tokens from FAC to FTC using the following command:

execute fortitoken-cloud ftm-migrate <FTM license number>

If you do not have an existing FTC license at the time of the migration, FTC will automatically generate a one-year free transfer license for you to use for the number of end-users corresponding to the total number of FTM tokens that are transferred. After one year, you are required to purchase an FTC license to continue using the service.

Procedures

Ensure that the FTM license has already been imported into the FAC. (The Token serial number under the FTM license may or may not have been assigned to users.)
Submit an FTM migration request (using the command, set FTM migration tag request) to Customer Support (https://www.fortinet.com/support/contact) by providing your FAC serial number and FTM license serial number. The CS team then confirms the pre-authentication from the customer and sets up the ‘FTM migration tag’.
Once the migration tag has been set up, run the execute fortitoken-cloud ftm-migrate <FTM license number> command on the FAC. The command transfers all end-users with FTM token authentication under the FTM license to FTC authentication method. You can find the FTM license number in the output of the show user fortitoken command, which has set license <FTM license number>.
All the FTM tokens under the migrated license are then removed from the FAC GUI, and all end-users that have been migrated show up on the FTC GUI.
Once the migration CLI command is completed, user log-in auth should work without any token data change.
After the migration is completed, FTC will send out email to CS asynchronously 24 hours after the migration of the account. The email is notify CS to invalidate the FTM license and reset the migration tag. If you are migrating multiple FTM licenses, ensure that you migrate them together within 24 hours. Otherwise, you will have to re-submit the request(set FTM migration tag request) to CS.
After the CS team has invalidated the FTM license and reset the migration tag, you may have to wait for up to 24 hours for the process to complete.

Verification

Check on the FAC portal:

All end-users with FTM token auth under the migrated FTM license are updated to FortiToken Cloud on the FAC portal (Authentication>User Management).
The migrated FTM license is removed from the FAC portal (User & Authentication>FortiTokens). Tokens associated to the migrated FTM license will not show up in the token list.

Check on the FTC portal:

The migrated FTM license shows up on the Licenses page of the FTC portal.
The migrated MFA users show up on the FTC portal (Users).
The migrated FTM license quota has been added to the total FTC user quota and the assigned FTM token has been deducted from the total user quota (Dashboard).

End-user 2FA login authentication

FTM license migration does not affect end-user 2FA login authentication with FortiToken (i.e., end-users will not notice any change in their log-in authentication process).

Before starting the migration process, be sure to back up your FortiAuthenticator configuration.
Once the FTM license and its tokens are successfully migrated to FortiToken Cloud, they cannot be reversed.
The original FTM license is invalidated by the CS team once the migration is completed.
The request can be initiated only by a FAC administrator.
FTM token migration is supported for trial accounts.
FTM token migration is not supported for credit-based accounts.
Before migrating your FTM license with a large number of end-users, be sure to set the FAC CLI Console timeout value long enough to cover the entire migration process. If the Console times out while the migration is in progress, you can open another Console window and run the ‘execute fortitoken-cloud ftm-migrate-status <FTM license number>' command to check the migration status.
If for some reason you want to abort a migration operation that is in progress, you can do so using the command 'execute fortitoken-cloud ftm-migrate-abort <FTM license number>'

Migrate FTM tokens from FortiAuthenticator

An FortiAuthenticator (FAC) administrator can migrate FTM tokens from FAC to FTC using the following command:

execute fortitoken-cloud ftm-migrate <FTM license number>

Procedures

Ensure that the FTM license has already been imported into the FAC. (The Token serial number under the FTM license may or may not have been assigned to users.)

Submit an FTM migration request (using the command, set FTM migration tag request) to Customer Support (https://www.fortinet.com/support/contact) by providing your FAC serial number and FTM license serial number. The CS team then confirms the pre-authentication from the customer and sets up the ‘FTM migration tag’.

Once the migration tag has been set up, run the execute fortitoken-cloud ftm-migrate <FTM license number> command on the FAC. The command transfers all end-users with FTM token authentication under the FTM license to FTC authentication method. You can find the FTM license number in the output of the show user fortitoken command, which has set license <FTM license number>.

All the FTM tokens under the migrated license are then removed from the FAC GUI, and all end-users that have been migrated show up on the FTC GUI.

Once the migration CLI command is completed, user log-in auth should work without any token data change.

After the migration is completed, FTC will send out email to CS asynchronously 24 hours after the migration of the account. The email is notify CS to invalidate the FTM license and reset the migration tag. If you are migrating multiple FTM licenses, ensure that you migrate them together within 24 hours. Otherwise, you will have to re-submit the request(set FTM migration tag request) to CS.

After the CS team has invalidated the FTM license and reset the migration tag, you may have to wait for up to 24 hours for the process to complete.

Verification

Check on the FAC portal:

All end-users with FTM token auth under the migrated FTM license are updated to FortiToken Cloud on the FAC portal (Authentication>User Management).

The migrated FTM license is removed from the FAC portal (User & Authentication>FortiTokens). Tokens associated to the migrated FTM license will not show up in the token list.

Check on the FTC portal:

The migrated FTM license shows up on the Licenses page of the FTC portal.

The migrated MFA users show up on the FTC portal (Users).

The migrated FTM license quota has been added to the total FTC user quota and the assigned FTM token has been deducted from the total user quota (Dashboard).

End-user 2FA login authentication

FTM license migration does not affect end-user 2FA login authentication with FortiToken (i.e., end-users will not notice any change in their log-in authentication process).

Before starting the migration process, be sure to back up your FortiAuthenticator configuration.
Once the FTM license and its tokens are successfully migrated to FortiToken Cloud, they cannot be reversed.
The original FTM license is invalidated by the CS team once the migration is completed.
The request can be initiated only by a FAC administrator.
FTM token migration is supported for trial accounts.
FTM token migration is not supported for credit-based accounts.
Before migrating your FTM license with a large number of end-users, be sure to set the FAC CLI Console timeout value long enough to cover the entire migration process. If the Console times out while the migration is in progress, you can open another Console window and run the ‘execute fortitoken-cloud ftm-migrate-status <FTM license number>' command to check the migration status.
If for some reason you want to abort a migration operation that is in progress, you can do so using the command 'execute fortitoken-cloud ftm-migrate-abort <FTM license number>'

Admin Guide

Migrate FTM tokens from FortiAuthenticator