Fun with Fortitokens

Background

We have had a few issues with ftm-push in recent times so I thought I would document how we resolved the problems and how they manifested. Firstly, we upgraded a Fortigate to version 6.2.3 a while back and on doing this found that ftm-push no longer worked. Talking to other clients about this issue I determined that most don't use ftm-push becuase it didn't just work out of the box.

Now this issue may well be resolved in more current releases however it turns out that the following was required to resolve it for the curious.

The Issue

What we could see was on clicking ftm-push the packets were going to the ftm-push servers at Fortinet and then causing the app to request an approval. We could then see the responding packets returning to the Fortigate however a timeout was then experienced and no authentication resulted. Entering the token manually worked fine.

Ports Used

Knowing this relates to items 2,3 & 4 below.

Now some good intel on tcp ports used:

for iphones ftm-push uses tcp2196

for android ftm-push uses tcp443 (https)

So for debug purposes its easier to pick up on iphone push traffic when using a packet sniffer such as the one on the Forigate:

diag sniffer packet any "port 2196" 4 3

The Fix

  1. Enable FTM on the interface

config system interface

edit"the-interface"

    set allowaccess ftm

end

  1. Make sure that your Forti management port is changed away from 443

Check your management port

show full | grep admin-sport                                                                                   <----- verify https port.
          set admin-sport 443

show full | grep admin-port                                                                                     <----- verify http port.
          set admin-port 80

Change your management port

config system global
    set admin-port <integer> (http - set to whatever you require)
end

config system global
    set admin-sport <integer> (https - set to whatever you require)
end 
  1. Make sure your SSLVPN is not running on the default 443 port

config vpn ssl settings

set port <integer> (set to whatever you require)
set source-interface "wan1"

end

  1. Set up a local in policy rule to allow 443 and 2176 inbound to the Fortigate, you could do this with a normal policy rule I guess as well.

config firewall local-in-policy

edit 1
    set intf "your-ftm-interface"
    set srcaddr "all"
    set dstaddr "object-with-IP-address-of-destination-of-ftm"
    set action accept
    set service "TCP2195"
    set schedule "always"
    set comments "iphone-ftm-push"
next
edit 2
    set intf "your-interface"
    set srcaddr "all"
    set dstaddr "object-with-IP-address-of-destination-of-ftm"
    set action accept
    set service "HTTPS"
    set schedule "always"
    set comments "android-ftm-push"
next

end

  1. Ensure you have an administrative user with no restrictions via trusted hosts - ouch - to secure this assign a Fortitoken to the user.

  2. Set the following

config system ftm-push

set server-ip "ip-of-external-typically-the-wan" 
set status enable

end

  1. Also set the following timeout appropriately:

config system global

set remoteauthtimeout 300 (or whatever suits - helps with slower cell networks)

end

and that should do it.

Debug the Fortitoken Flow

Finally to debug when integrating with the Fortigate SSLVPN here are commands that will give you good visibility of events:

diag debug reset

diag debug console timestamp enable

diagnose debug application fnbamd -1

diagnose debug application ftm-push -1

diag debug application sslvpn -1

diag debug enable

Posted in Fortigate on Dec 22, 2020