Transfer FortiTokens Mobile (FTM) between Fortigates - visual guide.

Tue 01 August 2023 in Fortigate

#Fortigate

Table of Contents

Introduction
Steps in transferring the tokens
Steps in transferring the tokens with screenshots
- Open a ticket to the Customer Service
- Once CS in the ticket confirm the license was transferred
Debug
Resources

Introduction

You may need to transfer Mobile FortiTokens from the failed Fortigate, on which you did RMA, and got a new one. Or for any other reason - Fortitoken Mobile (FTM) is a permanent purchase, and you can do whatever you wish .

Note	I am talking about mobile FortiTokens only in this guide, not hardware ones. You can transfer hardware tokens as well, but the procedure will be a bit different.

Few facts to know beforehand:

You actually transfer the license for FTMs, not specific/individual tokens. This means you cannot transfer partial list of tokens. If you bought the 50 FTMs license, you will have to transfer this license along with all the 50 tokens as well.
Licenses for FTMs are permanent and are not tied contractually to a specific Fortigate. This means it is OK to transfer/move FTM license as you see fit.
Down time - yes, there will be down time for the users with FTMs assigned, unless you temporarily disable MFA for them. When Fortinet transfer the license, the FTMs on the current/old Fortigate will stop working eventually. There is no official info after how much time. From my subjective experience, FTMs on the old FGT worked at least for a day, after the CS ticket was updated that license was transferred out of it. Still, you have to delete FTMs on the original FGT, before creating them on the destination FGT. I, personally, wouldn’t count on using the same FTM license on both FGTs simultaneously.

Steps in transferring the tokens

The process is simple:

Open a ticket with Customer Service at support.fortinet.com, in which ask Fortinet to transfer tokens from the Fortigate (and give the serial number of the current FGT), to the Fortigate (give serial number as well). Also specifying SKU-ID of the FTM license.
Once the ticket is updated that transfer was done, you will get to your email the PDF file(s) containing Activation Code - just a 20-character string to be entered on the new Fortigate.
Delete FortiTokens from the configuration on the old FGT, if available. Now you can re-create tokens on the destination Fortigate using the Activation Code.

Steps in transferring the tokens with screenshots

Now, the aforementioned process in pictures.

Open a ticket to the Customer Service

When talking about the mobile Fortitokens, we only need one ticket with CS, not Support. If you are transferring the hardware tokens, not shown in this guide, you need to open the ticket with the Technical Support.

Here, I open a ticket using the serial number of the current Fortigate where the FTMs are assigned:

x transfer fortitokens between fortigates1

The type of ticket is License Transfer:

x transfer fortitokens between fortigates2

In the ticket, I write something along We’d like to transfer FTMs from Fortigate serial FGTxxxxxxx to the Fortigate serial FGTYYYYYY, the list of tokens is attached. The Fortinet CS basically need to transfer just license, they do not transfer/nor care about individual tokens. But to have this documented, I always attach, when available, as a text file, output of the command show user fortitoken. The command output will look like:

x transfer fortitokens between fortigates4

Again - if transferring FTMs from the failed unit, you may not have this info, then the license id (the one shown in the picture above starting with EFTM), or as Fortinet call it - SKU-ID, will suffice.

Also, if you are transferring a single license from FGT that has multiple FTM licenses, make sure to transfer/delete only Fortitokens belonging to this specific license.

Once CS in the ticket confirm the license was transferred

If the original Fortigate is still online, remove MFA authentication from users that have the FTMs-to-be-transferred, then delete Fortitokens themselves.

Fortinet CS will attach to the ticket a PDF file for each transferred license (you may ask to transfer multiple FTM licenses from the same FGT in the same ticket if needed). The file name will be the license’s SKU ID EFTXXXXXX.pdf. You will find inside it the Activation Code to be entered in the destination Fortigate. The PDF will look like:

x transfer fortitokens between fortigates5

You then take this Activation Code, and use it in the destination Fortigate like that:

x transfer fortitokens between fortigates7

After saving, this Fortigate will have new, unassigned, and not activated Fortitoken Mobile according to the license. In my example, the license was for 50 FTMs, so 50 Fortitokens were created.

x transfer fortitokens between fortigates9

Left is to assign users these tokens, they will receive usual activation email, and all is ready to go.

Debug

To see FTM license verification against FortiGuard servers happening in real time, the debug commands will be (208.91.113.53 is the IP of the FortiGuard server against which FTM licenses are being checked):

diagnose sniffer packet any "host 208.91.113.53 and port 443" 4 0 a

diag debug app forticldd -1

diag debug app alert -1

diag fortitoken debug enable

diag debug enable

execute fortitoken-mobile import <put-activation-code-here>

In the example below, I put intentionally a bad Activation Code BADLICBADLICXXX (I sanitized Fortigate serial number with FGXXXXXXX):

diagnose sniffer packet any "host 208.91.113.53 and port 443" 4 0 a


diag debug app forticldd -1
diag debug app alert -1
diag fortitoken debug enable
diag debug enable
execute fortitoken-mobile import BADLICBADLICXXX



ftm_cfg_import_license[321]:import license BADLICBADLICXXX
ftm_fc_comm_connect[55]:ftm TCPS connected.ftm_fc_comm_send_request[117]:send
packet success.


POST /SoftToken/Provisioning.asmx/Process HTTP/1.1

Accept: application/json, text/javascript, */*, q=0.01

Content-Type: application/json;charset=utf-8

X-Requested-With: XMLHttpRequest

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0)

Host: 208.91.113.53:443

Content-Length: 297

Connection: Keep-Alive

Cache-Control: no-cache


{ "d": { "__type": "SoftToken.ActivationLicenseRequest", "__version": "4",
"license_activation_code": " BADLICBADLICXXX ", "serial_number": "FGXXXXXXX",
"__device_version": "7.0", "__device_build": "0523", "__clustered_sns": [ {
"sn": " FGXXXXXXX " }, { "sn": " FGXXXXXXX " } ] } }


ftm_fc_comm_recv_response[266]:receive packet success.

{"d":{"__type":"SoftToken.ActivationLicenseResponse","__version":"4"
,"serial_number":" FGXXXXXXX","__device_version":"7.0","__device_build":"0523",
"__clustered_sns":[{"sn":" FGXXXXXXX ","error":null},{"sn":"FGXXXXXX","error":
null}],"license_activation_code":" BADLICBADLICXXX ","license":"","tokens":null,
"result":0,"error":{"error_code":16,"error_message":"forticare license activation code invalid"}}}

ftm_fc_command[615]:received error from forticare [-7566]

import fortitoken license error: -7566

As you can see, the debug clearly shows the reason - forticare license activation code invalid.

Resources

Fortitoken and other kinds of debug can be found in my Github repo: Fortigate debug diagnose cheat sheet
SSL VPN Hardening Guide
Fortinet: Invalid License - Migration from FortiToken Mobile to FortiToken Cloud

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.