Debug fortitoken activation activation error (token not exist in FortiGuard) The most easy way to debug the sending of the FortiToken activation e-mails from a FortiGate firewall is by using the CLI debugging tools. Assign the token to the user's profile. diag debug console timestamp enable. Anybody else on the path can still reject it (such as your own receiving mailservers). Upon receiving the user's username and password, FTC prompts the user for an OTP from the FortiToken device. Solution: Problem : Debugging : diagnose debug application forticldd -1 diagnose debug enable ftm_cfg_import_license[324]:import license 0000-0000-0000-0000-0000 is_trial_tokens_available[55]:No trial tokens are available. Managing FortiTokens drift If the FortiToken has drifted, the following must take place for the FortiToken to This article describes the troubleshooting process when FortiToken activation failure. The sending of activation e-mails is part of the alerts e-mail system so we need to enable debugging on that system. Turn on activation debugging by executing the commands below: diag debug application forticldd 255. Feb 3, 2025 · When sending the FortiToken activation code via User Definition -> 'Right-click' on User -> Send Activation Code, the email fails to send to the configured email address. The debug will show you the actual message with the activation code. For instance, in the below FortiToken debugging output, the FortiToken FTKMOB947FDC1754 is not working since the license of this FortiToken has been registered under a different FortiGate serial number. Hey there, I am having an issue on receiving the activation email. diag debug app alertmail -1. To disable debugging: diagnose debug disable . ftm_fc_comm_send_request[117 Mar 2, 2012 · FGT# diag debug app fdsmgmt 255 FGT# diag debug enable FGT# exe fortitoken activate FTK20014K2Pxxxxx Activating FortiToken(s) 02:03:49 fdsm_fsm. To re-activate or import two of the trial FortiTokens mobile trial, go to User&Authentication -> FortiTokens -> Create New -> Mobile Token, and fill the 'Activation Code' field with 0000-0000-0000-0000-0000 as shown below: But if one of the two Tokens has been deleted, the activation will not be successful, and it will always show one token only. diag debug reset . The debug logs show 'email-to' in the 'to' field instead of the actual email address, as shown below: Jun 5, 2015 · The FortiToken-200 is activated through the FortiGuard network and is locked upon first activation (one-time activation lock). fortinet. 4. Aug 12, 2019 · Therefore, if the FortiGate is running below v7. diag debug console timestamp en. The following debugging log shows the associated reg-id and some more information regarding the FortiToken: # diagnose debug disable # diagnose debug enable # diagnose fortitoken debug enable Mar 24, 2025 · diagnose debug disable diagnose debug reset . FortiToken-200 has been added, removed, and re-added to the FortiGate. ftm_fc_comm_recv_response[239]:response invalid HTTP/1. diag debug disable. Mar 25, 2025 · To enable debugging: diagnose fortitoken debug enable diagnose debug enable . Display all Fortitokens info on license number, activation expiration (in epoch format). Debug: diag debug reset. After running these commands, try to import FortiToken using the GUI or CLI as above, and monitor the output on the CLI. To change FortiToken status to active or to lock: config user fortitoken. Mar 2, 2012 · This acticle provides some troubleshooting hints to use to troubleshoot problems with FortiToken activation. Apr 3, 2024 · FortiToken Mobile license can be activated only if The FortiGate has a connection with the FortiGuard server . diag debug reset. When we get a new licenses for 10, diag deb appl forticldd 255 FortiToken activation debugging diag fortitoken debug enable FortiToken debugging exec fortitoken-mobile import 0000-0000-0000-0000-0000 Recover trial FortiToken (delete existing trial token before) FSSO diag debug authd fsso filter … Filter for FSSO user list diag debug authd fsso list List of FSSO authenticated Feb 6, 2024 · diag fortitoken debug enable diag debug enable config user fortitoken edit FTKMOBXXXXXXXXXX set status active end execute fortitoken-mobile renew FTKMOBXXXXXXXXXX ftm_cfg_deprovision_token[361]:deprovision token: FTKMOBXXXXXXXXXX ftm_fc_cfg_set_fd_mgmt_vdom[47]:Using vfid=0 (mgmt:0 ha:1) ftm_fc_comm_connect[269]:ftm SSL connect error: Success With this configuration, the user is unable to receive any FortiToken Activation code on the email. Mar 10, 2022 · Does anybody know if anything has just changed on FTNT side in case FortiToken/FortiToken Mobile is deployed on FGTs in a-p environment? We've been deploying FortiToken Mobile to multiple customers with our a-p HA FGT environment for at least last 5 years or so. Verify that Fortigate can resolve and ping the FortiGuard servers responsible for FortiToken activation/license validation. execute fortitoken-mobile import <xxxx-xxxx-xxxx-xxxx-xxxx> <- Input the 16 digit activation code. 53 and port 443" 4 0 a diag debug app forticldd -1 diag debug app alert -1 diag fortitoken debug enable diag debug enable execute fortitoken-mobile import BADLICBADLICXXX ftm_cfg_import_license[321]:import license BADLICBADLICXXX ftm_fc_comm_connect[55]:ftm TCPS connected. diag debug enable . diag debug application alertmail -1 . To be able to activate FortiToken Mobile, Anycast should be disabled, or adjusted to the value 'fortinet'. Save the output either download it via the CLI window or use the Putty tool to log them, to attach the debug logs to the case for TAC review. A third factor (fingerprint or face) can be enabled as well. diagnose debug enable Oct 3, 2019 · Hi, for debugging you can use following: diag debug reset. Initiate ‘Send Activation Code Email’ on user's local: Dec 2, 2024 · Run the debug commands in FortiGate CLI: diag debug reset. Login on https://ftc. Enable 2FA for the User: Activate Two-Factor Authentication (2FA) for the employee user. 1 Anycast with AWS, will fail to add new FortiToken Mobiles. Failed. 1 503 Service Unavailable . May 22, 2022 · FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic. Output of the Email Alert Debug: The debug below shows the important messages to check during the troubleshooting: diagnose debug reset. Jun 2, 2016 · The FortiToken Mobile activation process described above caters to the MFA process that involves two factors (password and OTP) of the authentication process. com and some general information will appear about FortiProducts selected to use FortiToken Cloud as well, as users, realms, and SMS credit. Best Regards, Alivo diagnose debug reset diagnose debug application alertemail -1 diagnose debug enable Then send the FortiToken mail. If it is not reachable, follow the link at the bottom for 'FortiToken server not reachable'. If the token's lock was released recently, there is only one chance to activate and catch an error if an issue occurs. To transfer FortiToken-200 tokens from one FortiGate or FortiAuthenticator device to another, visit the Fortinet Support website. Troubleshooting: Run the following debug commands below. Debugging of local authentication protocol diag debug appl fnbamd -1 Debugging of remote authentication protocol FortiToken diag fortitoken info Current FortiToken status exec fortitoken activate [Forti-TokenSN] diag deb appl forticldd 255 FortiToken activation debugging diag fortitoken debug enable FortiToken debugging fortitoken-mobile import Jul 5, 2022 · diagnose fortitoken debug enable. Dec 28, 2022 · Since it is not possible to have different reg-id values under each FortiToken setting, a specific FortiToken cannot be used on different smartphones. The user must press the FortiToken to get the OTP, and then manually enters it. Mobile/Soft FortiToken has to be imported into the FortiGate with the help of the activation code that is received from the License purchase. show user fortitoken. 91. See Hardware Tokens. send the activation mail, then disable debug by: diag debug disable. The following actions may be used to troubleshoot this issue with the activation of the FortiToken. c[586] fdsm_fsm_task_signal - got task signal After selecting the option for FortiToken Cloud, FortiAuthenticator will update the FortiToken Cloud service, and an activation email will be sent at the same time with a QR code. diagnose debug enable. edit <token_serial_num> set status <active | lock> next. 113. Verify the following to fix the issue: If the FortiGate belongs to a cluster, verify the current primary is registered with the FortiToken Aug 30, 2019 · diag debug console timestamp enable diag debug app forticldd -1 diag fortitoken debug enable diag debug enable . A user attempting to log in using a locked FortiToken cannot successfully authenticate. Manual FortiToken activation diag deb appl forticldd 255 FortiToken activation debugging diag fortitoken debug enable FortiToken debugging exec fortitoken-mobile import 0000-0000-0000-0000-0000 Recover Trial FortiToken (delete existing Trial Token before) FSSO Filter for FSSO user list diag debug authd fsso list List of FSSO authenticated user Note: To use this option, the FTC admin must first add the serial number of the FortiToken to FTC, and assign it to the end user. diag debug enable Aug 1, 2023 · diagnose sniffer packet any "host 208. . end. diag debug en . If it is reachable, check the debugs for detailed issues as shown below. Debugging of local authentication protocol diag debug appl fnbamd -1 authentication protocol FortiToken diag fortitoken info Current FortiToken status exec fortitoken activate [Forti-TokenSN] diag deb appl forticldd 255 FortiToken activation debugging diag fortitoken debug enable FortiToken debugging exec fortitoken-mobile import Troubleshoot FortiToken activation email issues by following the steps in this article. Debug Output: Confirmation of a successful process. "successful" just means that the next-hop server accepted it (fortiguard by default). Content of the debug log is shown below. diag debug enable. Firstly, disable the FortiManager settings as listed below: The debug will show you the actual message with the activation code. Scope: Fortigate. zodqpz vfhbi qeunau oyyknbq borg rldv eqnqu qrsxa tewjd mpqs mvfi ykqn eytcti qucsv ihpvni