Description
This article describes how to connect to the FortiToken server to be able to download FortiToken Mobile. This issue occurs if the source IP used by the FortiGate is not allowed to be routed, as illustrated below:
Scope
FortiGate.
Solution
In case of an Internal Server Error, while trying to import the FortiTokens, one of the reasons could be a routing issue.
To change the source IP used to connect to the FortiGuard, use the following method:
For FortiGuard Services :
config system fortiguard
set source-ip 0.0.0.0 <- Set the desired IP allowed in upstream.
end
However, this method does not work for FortiToken servers, in that case, create a static route toward the FortiToken server using the preferred gateway as follows:
config router static
edit 0
set dst 96.45.36.92 255.255.255.255
set gateway x.x.x.x <- Instead of x.x.x.x, use the preferred gateway.
set device y.y.y.y <- Instead of y, put the gateway interface.
next
end
Where 63.137.229.3 is the FortiToken registration server IP.
This address can be resolved from the following URL: directregistration.fortinet.com
As of v6.0.7, this behavior has been changed and the FortiGuard Source IP can be used for connecting to the FortiToken server.
This address can be resolved from the following URL: directregistration.fortinet.com
As of v6.0.7, this behavior has been changed and the FortiGuard Source IP can be used for connecting to the FortiToken server.
If the solution above does not solve the issue, run the following debug:
diag debug console timestamp enable
diag debug app forticldd -1
diag debug app alert -1
diag debug enable
Now, examine the output of the debug:
2023-03-09 10:30:52 ftm_cfg_import_license[324]:import license 0000-0000-0000-0000-0000
2023-03-09 10:30:52 is_trial_tokens_available[55]:No trial tokens are available.
2023-03-09 10:30:52 ftm_fc_comm_connect[38]:ftm cannot resolve DNS
2023-03-09 10:30:52 ftm_fc_command[539]:forticare [ftm2.fortinet.net:443] unreachable
Based on the output above, it is possible to see that the FTM server is unreachable. This can be caused by a FortiGuard connectivity issue. It is possible to change the following settings to ensure connectivity to the server.
config system fortiguard
set fortiguard-anycast disable
set port 8888
set protocol udp
set source-ip 0.0.0.0
end
Note that the default protocol and port alongside with disabled fortiguard-anycast service, must be reachable. Default values can be found in config system fortiguard - FortiGate CLI reference.
FortiOS's Anycast FTM server domain for AWS has been changed to 'globalftm2.fortinet.net', and settings had been adjusted starting from FOS 7.4.1, for the branches below 7.4.1 it is still ftm2.fortinet.net.
Therefore, if the FortiGate is running below than 7.4.1 Anycast with AWS, will fail to add new FortiToken Mobiles. To be able to activate FTM, Anycast should be disabled, or adjusted to the value 'fortinet'.
After that, try to import the tokens again. If the issue persists, contact Fortinet technical support for more assistance.
Related article:
Technical Note: How to control/change the FortiGate source IP for self-generated traffic.
Troubleshooting Tip: import FortiToken license Internal server.
