Migrate FTM tokens from FortiGate

The FortiGate administrator can migrate FTM tokens to FTC themselves using the following command:

execute fortitoken-cloud migrate-ftm <FortiToken mobile license number> <vdom>

where <vdom> is root, if VDOM is not enabled on the FortiGate.

If you do not have an existing FTC license at the time of the migration, FTC will automatically generate a one-year free transfer license for you to use for the number of end-users corresponding to the total number of FTM tokens that are transferred. After one year, you will have to purchase an FTC license to continue using the service.

Procedures

1. Ensure that the FTM license has already been imported into the FortiGate. (The Token serial number under the FTM license may or may not have been assigned to users.)
2. Submit a FTM migration request (using the command ‘set FTM migration tag request’) to Customer Support (https://www.fortinet.com/support/contact) by providing the FGT serial number and the FTM license serial number. The CS team then confirms the pre-authentication from the customer and sets up the ‘FTM migration tag’.
3. Once the tag has been set up, run the execute fortitoken-cloud migrate-ftm <FortiToken mobile license number> <vdom> command on the FortiGate. The command will transfer all end-users with FTM token authentication under the FTM license to FTC authentication. You can find the FTM license number in the output of the show user fortitoken command, which has set license <FTM license number>.
4. The FTM tokens under the migrated license are then removed from the FGT GUI, and all end-users that have been migrated show up on the FTC GUI.
5. Once the migration CLI command is completed, user log-in authentication should work without any token data change.
6. Upon completion of the migration, FTC sends out email to CS asynchronously 24 hours. The email notifies CS to invalidate the FTM license and to reset the migration tag. If you are migrating multiple FTM licenses, ensure that you migrate them together within 24 hours. Otherwise, you will have to re-submit the‘set FTM migration tag request’ request to CS.
7. After the CS team has invalidated the FTM license and reset the migration tag, you may have to wait for up to 24 hours for the process to complete.

Verification

Check on the FOS portal:

• All users with FTM token auth under this migrated FTM license are updated to FortiToken Cloud on the FGT portal (User & Authentication>User Definition).

• The migrated FTM license is removed on the FGT portal (User & Authentication>FortiTokens). Tokens associated to the migrated FTM license will not show up in the token list.

Check on the FTC portal:

• The migrated FTM license shows up on the Licenses page of the FTC portal.

• The migrated MFA end-users show up on the Users page of the FTC portal.

• The migrated FTM license quota has been added to the total FTC user quota and the assigned FTM token has been deducted from the total user quota (Dashboard).

End-user 2FA login authentication

• FTM license migration does not affect end-user 2FA login authentication with FortiToken (i.e., end-users will not notice any change in their login authentication process).

Before starting the migration process, be sure to back up your FortiGate configuration . Once the FTM license and tokens are successfully migrated to FortiToken Cloud, they cannot be reversed. The original FTM license is invalidated once the migration is completed. FTM token migration requests can be initiated by an FGT administrator only. FTM token migration is supported for trial accounts. FTM token migration is not supported for credit-based accounts. Before migrating an FTM license with a large number of end-users, be sure to set the FGT CLI Console timeout value long enough to cover the entire migration process. If the Console times out while the migration is in progress, you can open another Console window and run the ‘diagnose fortitoken-cloud migrate-ftm show <FortiToken mobile license number>’ command to check the migration status.