Fortinet black logo

Admin Guide

Migrate FTM tokens to FortiToken Cloud

Copy Link
Copy Doc ID 0a6c5280-a080-11ee-8673-fa163e15d75b:626658
Download PDF

Migrate FTM tokens to FortiToken Cloud

Starting with FOS 7.0.4, FortiGate customers who are using FOS 2FA perpetual licenses can migrate their FTM tokens to FortiToken Cloud (FTC) by converting their FTM licenses to FTC subscription licenses. FGT admins can perform FTM token migration themselves using the following command:

execute fortitoken-cloud migrate-ftm <FortiToken mobile license number> <vdom>

where <vdom> is root, if VDOM is not enabled on the FortiGate.

Note

If you do not have an existing FTC license at the time of the migration, FTC will automatically generate a one-year free transfer license for you to use for the number of end-users corresponding to the total number of FTM tokens that are transferred. After one year, you will have to purchase an FTC license to continue using the service.

Procedures

  1. Ensure that the FTM license has already been imported into the FortiGate. (The Token serial number under the FTM license may or may not have been assigned to users.)
  2. Submit ‘set FTM migration tag request’ to Customer Support (https://www.fortinet.com/support/contact) by providing the FGT serial number and the FTM license serial number. The CS team then confirms the pre-authentication from the customer and sets up the ‘FTM migration tag’.
  3. Once the tag has been set up, run the execute fortitoken-cloud migrate-ftm <FortiToken mobile license number> <vdom> command on the FortiGate. The command will transfer all users with FTM token auth under this FTM license to FTC auth method. You can find the FTM license number with the output of the show user fortitoken command, which has set license <FTM license number>.
  4. The tokens under the migrated license are then removed from the FOS GUI, and all users that have been migrated show up on the FTC GUI.
  5. Once the migration CLI command is completed, user log auth should work without any token data change.
  6. After the migration is completed, FTC will send out email to CS asynchronously 24 hours after the migration of the account. The email is notify CS to invalidate the FTM license and reset the migration tag. If you are migrating multiple FTM licenses, ensure that you migrate them together within 24 hours. Otherwise, you will have to re-submit the‘set FTM migration tag request’ request to CS.
  7. After the CS team has invalidated the FTM license and reset the migration tag, you may have to wait for up to 24 hours for the process to complete.

Verification

Check on the FOS portal:
  • All users with FTM token auth under this migrated FTM license are updated to FortiToken Cloud on the FGT portal (User & Authentication>User Definition).

  • The migrated FTM license is removed on the FGT portal (User & Authentication>FortiTokens). Tokens associated to the migrated FTM license will not show up in the token list.

Check on the FTC portal:
  • The migrated FTM license shows up on the FTC portal (Licenses).

  • The migrated MFA users show up on the FTC portal (Users).

  • The migrated FTM license quota has been added to the total FTC user quota and the assigned FTM token has been deducted from the total user quota (Dashboard).

End-user 2FA login authentication
  • FTM License migration does not affect end-user 2FA login authentication with FortiToken (i.e., end-users will not notice any change in their login authentication process).

Caution
  • Back up FortiGate configuration before starting the migration process.

  • Once the FTM license and its tokens are successfully migrated to FortiToken Cloud, they cannot be reversed.

  • The original FTM license is invalidated by the CS team once the migration is completed.

  • The request can be initiated only by a FGT admin.

  • FTM token migration is supported for trial accounts.

  • FTM token migration is not supported for credit-based accounts.

  • Before migrating an FTM license with a large number of associated users, be sure to set the FGT CLI Console timeout long enough to cover the entire process. If the Console times out while the migration is in progress, you can open another Console window and run the ‘diagnose fortitoken-cloud migrate-ftm show <FortiToken mobile license number>’ command to check the migration status.

Migrate FTM tokens to FortiToken Cloud

Starting with FOS 7.0.4, FortiGate customers who are using FOS 2FA perpetual licenses can migrate their FTM tokens to FortiToken Cloud (FTC) by converting their FTM licenses to FTC subscription licenses. FGT admins can perform FTM token migration themselves using the following command:

execute fortitoken-cloud migrate-ftm <FortiToken mobile license number> <vdom>

where <vdom> is root, if VDOM is not enabled on the FortiGate.

Note

If you do not have an existing FTC license at the time of the migration, FTC will automatically generate a one-year free transfer license for you to use for the number of end-users corresponding to the total number of FTM tokens that are transferred. After one year, you will have to purchase an FTC license to continue using the service.

Procedures

  1. Ensure that the FTM license has already been imported into the FortiGate. (The Token serial number under the FTM license may or may not have been assigned to users.)
  2. Submit ‘set FTM migration tag request’ to Customer Support (https://www.fortinet.com/support/contact) by providing the FGT serial number and the FTM license serial number. The CS team then confirms the pre-authentication from the customer and sets up the ‘FTM migration tag’.
  3. Once the tag has been set up, run the execute fortitoken-cloud migrate-ftm <FortiToken mobile license number> <vdom> command on the FortiGate. The command will transfer all users with FTM token auth under this FTM license to FTC auth method. You can find the FTM license number with the output of the show user fortitoken command, which has set license <FTM license number>.
  4. The tokens under the migrated license are then removed from the FOS GUI, and all users that have been migrated show up on the FTC GUI.
  5. Once the migration CLI command is completed, user log auth should work without any token data change.
  6. After the migration is completed, FTC will send out email to CS asynchronously 24 hours after the migration of the account. The email is notify CS to invalidate the FTM license and reset the migration tag. If you are migrating multiple FTM licenses, ensure that you migrate them together within 24 hours. Otherwise, you will have to re-submit the‘set FTM migration tag request’ request to CS.
  7. After the CS team has invalidated the FTM license and reset the migration tag, you may have to wait for up to 24 hours for the process to complete.

Verification

Check on the FOS portal:
  • All users with FTM token auth under this migrated FTM license are updated to FortiToken Cloud on the FGT portal (User & Authentication>User Definition).

  • The migrated FTM license is removed on the FGT portal (User & Authentication>FortiTokens). Tokens associated to the migrated FTM license will not show up in the token list.

Check on the FTC portal:
  • The migrated FTM license shows up on the FTC portal (Licenses).

  • The migrated MFA users show up on the FTC portal (Users).

  • The migrated FTM license quota has been added to the total FTC user quota and the assigned FTM token has been deducted from the total user quota (Dashboard).

End-user 2FA login authentication
  • FTM License migration does not affect end-user 2FA login authentication with FortiToken (i.e., end-users will not notice any change in their login authentication process).

Caution
  • Back up FortiGate configuration before starting the migration process.

  • Once the FTM license and its tokens are successfully migrated to FortiToken Cloud, they cannot be reversed.

  • The original FTM license is invalidated by the CS team once the migration is completed.

  • The request can be initiated only by a FGT admin.

  • FTM token migration is supported for trial accounts.

  • FTM token migration is not supported for credit-based accounts.

  • Before migrating an FTM license with a large number of associated users, be sure to set the FGT CLI Console timeout long enough to cover the entire process. If the Console times out while the migration is in progress, you can open another Console window and run the ‘diagnose fortitoken-cloud migrate-ftm show <FortiToken mobile license number>’ command to check the migration status.