Migrate FTM tokens from FortiAuthenticator
An FortiAuthenticator (FAC) administrator can migrate FTM tokens from FAC to FTC using the following command:
execute fortitoken-cloud ftm-migrate <FTM license number>
If you do not have an existing FTC license at the time of the migration, FTC will automatically generate a one-year free transfer license for you to use for the number of end-users corresponding to the total number of FTM tokens that are transferred. After one year, you are required to purchase an FTC license to continue using the service. |
Procedures
- Ensure that the FTM license has already been imported into the FAC. (The Token serial number under the FTM license may or may not have been assigned to users.)
- Submit an FTM migration request (using the command,
set FTM migration tag request
) to Customer Support (https://www.fortinet.com/support/contact) by providing your FAC serial number and FTM license serial number. The CS team then confirms the pre-authentication from the customer and sets up the ‘FTM migration tag’. -
Once the migration tag has been set up, run the
execute fortitoken-cloud ftm-migrate <FTM license number>
command on the FAC. The command transfers all end-users with FTM token authentication under the FTM license to FTC authentication method. You can find the FTM license number in the output of theshow user fortitoken
command, which hasset license <FTM license number>
. - All the FTM tokens under the migrated license are then removed from the FAC GUI, and all end-users that have been migrated show up on the FTC GUI.
- Once the migration CLI command is completed, user log-in auth should work without any token data change.
-
After the migration is completed, FTC will send out email to CS asynchronously 24 hours after the migration of the account. The email is notify CS to invalidate the FTM license and reset the migration tag. If you are migrating multiple FTM licenses, ensure that you migrate them together within 24 hours. Otherwise, you will have to re-submit the
request(set FTM migration tag request)
to CS. - After the CS team has invalidated the FTM license and reset the migration tag, you may have to wait for up to 24 hours for the process to complete.
Verification
Check on the FAC portal:
-
All end-users with FTM token auth under the migrated FTM license are updated to FortiToken Cloud on the FAC portal (Authentication>User Management).
-
The migrated FTM license is removed from the FAC portal (User & Authentication>FortiTokens). Tokens associated to the migrated FTM license will not show up in the token list.
Check on the FTC portal:
-
The migrated FTM license shows up on the Licenses page of the FTC portal.
-
The migrated MFA users show up on the FTC portal (Users).
-
The migrated FTM license quota has been added to the total FTC user quota and the assigned FTM token has been deducted from the total user quota (Dashboard).
End-user 2FA login authentication
-
FTM license migration does not affect end-user 2FA login authentication with FortiToken (i.e., end-users will not notice any change in their log-in authentication process).
|