FortiGuard
To view and configure FortiGuard connections, go to System > Administration > FortiGuard. The FortiGuard Distribution Network (FDN) page provides information and configuration settings for FortiGuard subscription services. For more information about FortiGuard services, see the FortiGuard Center web page (http://www.fortiguardcenter.com).
Configure the following settings, then select OK to apply them:
| FortiGuard Subscription Services |
| Messaging
The data to which the messaging service license is valid. Service |
| SMS messages The total number of allowed SMS messages, and the number of messages that have been used. |
| FortiToken 200 Provisioning |
| Server address The server address. |
| Server port The server port. |
| FortiToken Mobile Provisioning |
| Server address The server address. |
| Server port The server port. |
| Activation
The activation timeout in hours, from 1 to 168 hours. timeout |
| Token size The token size, either 6 or 8. |
| Time step The time step, either 60 or 30. |
| Require PIN Select to require a PIN. |
| FortiGuard Messaging Service |
| Server address The server address. |
| Server port The server port. |
FTP servers
To view a list of the configured FTP servers, go to System > Administration > FTP Servers.
The following information is shown:
| Create New | Select to create a new FTP server. |
| Delete | Select to delete the selected FTP server or servers. |
| Edit | Select to edit the selected FTP server. |
| Name | The name of the FTP server. |
| Server name/IP | The server name or IP address, and port number. |
To create a new FTP server:
- Select Create New. The Create New FTP Server window will open.
- Enter the following information:
| Name | Enter a name for the FTP server. |
| Connection type | Select the connection type, either FTP or SFTP. |
| Server name/IP | Enter the server name or IP address. |
| Port | Enter the port number. |
| Anonymous | Select to make the server anonymous. |
| Username | Enter the server username (if Anonymous is not selected). |
| Password | Enter the server password (if Anonymous is not selected). |
- Select OK to create the new FTP server.
Administrator profiles
Similar to FortiOS, FortiAuthenticator can incorporate the use of admin profiles. Each administrator can be granted either full permissions or a customized admin profile. Profiles are defined as aggregates of read-only or read/write permission sets. The most commonly used permission sets are pre-defined, but custom permission sets can also be created.
To create a new admin profile, go to System > Admin Profiles > Manage > Create New. You can give the admin profile a name, a description, and configure the permission sets you want for that particular admin profile.
Go to Authentication > UserManagement > Local Users, and select the admin profile to an administrator. You can assign more than one admin profile to each administrator.
Messaging
The FortiAuthenticator unit sends email for several purposes, such as password reset requests, new user approvals, user self-registration, and two-factor authentication.
By default, the FortiAuthenticator unit uses its built-in Simple Mail Transfer Protocol (SMTP) server. This is provided for convenience, but is not necessarily optimal for production environments. Fortinet recommends that you configure the unit to use a reliable external mail relay.
There are two distinct email services:
l Administrators – password reset, new user approval, two-factor authentication, etc. l Users – password reset, self-registration, two-factor authentication, etc.
If you will be sending SMS messages to users, you must configure the SMS gateways that you will use. Ask your SMS provider for information about using its gateway. The FortiAuthenticator SMS gateway configuration differs according to the protocol your SMS provider uses.
SMTP servers
To view a list of the SMTP servers, go to System > Messages > SMTP Servers.
Although the FortiAuthenticator can be configured to send emails from the built-in mail server (localhost), this is not recommended. Anti-spam methods such as IP lookup, DKIM, and SPF can cause mail from such ad-hoc mail servers to be blocked. It is highly recommended that email is relayed via an official mail server for your domain.
The following information is shown:
| Create New | Select to create a new SMTP server. |
| Delete | Select to delete the selected SMTP server or servers. |
| Edit | Select to edit the selected SMTP server. |
| Set as Default | Set the selected SMTP server as the default SMTP server. |
| Name | The name of the SMTP server. |
| Server | The server name and port number. |
| Default | Shows a green circle with a check mark for the default SMTP server. To change the default server, select the server you would like to use as the default, then select Set as Default in the toolbar. |
To add an external SMTP server:
- Go to System > Messages > SMTP Servers and select Create New. The Create New SMTP Server window opens.
- Enter the following information:
| Name | Enter a name to identify this mail server on the FortiAuthenticator unit. |
| Server Name/IP | Enter the IP address or Fully Qualified Domain Name (FQDN) of the mail server. |
| Port | The default port 25. Change it if your SMTP server uses a different port. |
| Sender e-mail address | In the From field, enter the email address that will appear when sending an email from the FortiAuthenticator unit. |
| Secure connection | For a secure connection to the mail server, select STARTTLS from the drop-down list, then select the CA certificate that validates the server’s certificate. For information about importing the CA certificate, see Importing CA certificates and signing requests on page 144. |
| Enable authentication | Select if the email server requires you to authenticate when sending email. Enter the Account username and Password if required. |
- Optionally, select Test Connection to send a test email message. Specify a recipient and select Send. Confirm that the recipient received the message.
E-mail services
To view a list of the email services, go to System > Messages > E-mail Services.
The following information is shown:
| Edit | Select to edit the selected email service. | |
| Recipient | The name of the email recipient. | |
| SMTP server | The SMTP server associated with the recipient. The server can be selected from the drop-down list. | |
| Save | Select to save any changes made to the email services. | |
To configure email services:
- Go to System > Messages > E-mail Services and select the recipient you need to edit. The Edit E-mail Service window opens.
- Configure the following:
| SMTP Server | Select the SMTP server from the drop-down list. |
| Public Address | Customize the address or link for the email. |
| Address discovery method | Select the address discover method:
l Automatic Discovery: Use DNS domain name if configured, or automatically obtain address from the browser or an active network interface. l Specify an address: Manually enter the address and port number. l Use the IP address from a network interface: Select a specific network interface from the drop-down list. |
| Address | Enter the recipient address. Only available if Address discovery method is set to Specify an Address. |
| Port | Enter the recipient port number. Only available if Address discovery method is set to Specify an Address. |
| Network interface | Select a configured network interface from the drop-down list. This option is only available when the Address discovery method is set to Use the IP address from a network interface. |
- Select OK to apply your changes.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Have you seen FortiAthenticator or Fortigate, for that matter, configured to utilize a third-party sms authentication (i.e. SMSGlobal) for on-boarding a guest wireless user?
Our Wireless is third-party as well and not managed by Fortigate.
We want to required the guest wireless user to enter their phone #, then in turn, receive a sms message with a passcode that they would enter to complete the on-board process.
Lots of companies facilitate the SMS piece, however, If it integrates with either the Fortigate or FortiAuthenticator, then I am missing something.
Thanks!!
We have configured FortiGates to utilize other SMS providers (mostly verizon) for 2FA / authentication means.
Are you referring to 2FA onto the Fortigate itself?
This particular article is discussing the FortiAuthenticator which is a separate Appliance / VM for authentication needs
we have two fortiauth VMs, we tried to create HA with primary-slave configuration. the issue we were facing that primary fac can see the peer device on it with the error message cluster not formed but on slave unit it is not showing any peer device, on cluster status it is showing cluster is formed but in peer device section it is showing it is not.
by help of TAC we could find out that the heart beet can be seen on the primary FAC by the slave FAC but the HA heatbeat cannot be reached to primary FAC from slave.
Primary FAC VM is on ESXi server which is connected to cisco fabric switch > cisco core switch > other side fabric switch > slave FAC VM on other side ESXi server.
we did assign separate vlan for HA connectivity and that vlan is been configured on fabric switch as well as the core and it is L2 only. so nothing is blocking the heartbeat broadcast in between these two FACs and no firewall in between as well. Do you have any idea what would be the cause of this issue?