In this video, we’ll configure two-factor authentication, so I’ve referenced a previous video, but the focus will be on uh two-factor authentication with 40 token mobile, and how to configure push notifications on our Fortigate Firewall, as well as some basic troubleshooting Okay, so just a quick recap of how the Firewall is configured, we have a Firewall Policy that refers traffic coming in from our SSL Vpn Tunnel Interface to our internal network. Is There Anybody Who Has Access To The 192? 168 words We Also See That, That Same User Group Is There So Now Let's Just Do The Additional Step Of Adding That Second Factor Of Authentication Okay So To Do This Let's Go To Our User And Authentication 40 Tokens Section You Should See The Tokens There Like I Do But Just For Demonstrative Purposes I'm Going To Delete Them And Import, Free Trial Tokens In The Case That You ' Let’s associate them with our specific user now, so we’ll just select Two Factor Authentication on that user, then associate a token, and finally enter an authentication code. Okay, and then once I click OK, that email will be sent out. Once you receive the email, simply click on the QR code attachment, and there you have it. Now, the next step is to ensure that we have 40 tokens installed on our smartphone. Once we have 40 tokens installed on our smartphone, we would simply click the plus sign in the top right corner, and then click Scan Barcode in the bottom left corner. To Be Recycling Every 60 Seconds All Right, Let's Put It To The Test Now That We're Connecting Via Vpn There We Go So Now Let's Just Find Our Token Code Four Four Two Four Two Two One Six Here We Go Perfect And Now, We've Accessed The Vpn Using Two-factor Authentication All Right So It's Great Now That We Have That Second Factor Of Authentication But What If To Take It One Step Further, What If We Want To Prevent The User From Having To Manually Enter That Six Digit Code Every Single Time They Try To Have This Second Factor Of Authentication, Well, Let's Go To Our Wan Interface So That If We Access When One And Let's Make Sure That Ftm Is Enabled Right So Let’s Say Any Remote User Um Is Trying To Authenticate To Vpn And Using Our Use Case Scenario Here Well Then If Ftm Is Listening On The Firewalls Wan Interface Where The Request Would Be Coming In Then The Two-factor Authentication Response Can Can Be Accepted Via The, Push Notification So Let’s Enable That Right Now All Right And Additionally Let’s Go Into The Cli And Typing 166 words a 2 Moreover Set The Server Dash Port To 8082 Right Now I’m Just Picking This Random Port And Then Set The Status To Enable So Just A Brief Explanation Here Is That When A User Receives A Push Notification On Their Mobile Phone, Which Will Prompt Once We Authenticate With The Correct Username And Password To The Fortigate, But Once They Receive That Push Notification, As Soon As They Hit Accept On The Fortigate

Notification Then the following IP Address And Port Will Receive That Traffic, Which In This Case Will Be Our Fortigates1 Public Ip, So Please Be Aware.

To ensure that traffic will actually reach that server, check the port and IP. Otherwise, you'll hit the Accept Button and nothing will actually work right, so let's get started. Now Let’s Try It Out In Action Now Awesome There We Go So We Got The Login Request There Now We Just Have To Hit Approve And We Can See The Push Notification Must, Have Got Back To The 40 Gate Because We Are Seeing The Tunnel Establishing And There We Have It The Tunnel Is Established Here All Right And Just A Couple Troubleshooting Tips In Case You Run Into Any, Type Of Issue So Let’s Say For Example Um The Problem Is That Initially When I’d probably check to see if it’s you know, just to make sure. Because the email is actually generated by the Fortigate Firewall using Fortigate's Internal Email Relay, there isn't any type of custom email server that you have under the system settings. So there's a pretty good chance that one will be up, but if not, For example, you may have had an out-of-date internal Smtp server, which is why you aren’t receiving emails. It’s also possible that you have a spam filter. Let's Just Set That Diag Debug Application Ftm Push -1 And Then Diag Debug Enable And Then Let's Just Try Again To Re-authenticate Okay There We Have It So We Can See That Some Information Is Seen On Our Debug Here Once I Hit Approve Then We'll See Even More Here We Have A Bit Of An Idea To Follow The Traffic To See If We Can Understand What Could Be Happening Based On The Debug Additionally Two Would Be To Check The Port That, We Had Configured Previously Right So Config Config System Ftm Push If If We're Receiving That That Accept And Deny Box Notification On Our Mobile Phone And We Don't Actually See That Traffic Coming In To

Our Phone Or Into Sorry When We Hit Accept We Don't See Any Type Of Response From Our Mobile Phone Perhaps It's Because The Mobile Phone Can't Actually Communicate Correctly With The Fortigate And This Would Be The Configuration We'd Be Relying On At That Point

So let's run through the test again, but first let me run a Packet Sniffer for 8082 to confirm that that traffic is actually coming into the firewall, because if you didn't see that traffic coming in, that could indicate that there is something in between the phone and the firewall, so let's type in 8082 here and then let's, run that Packet Sniffer here we're starting it up

Let Me Hit Approve And Then We’ll See That The Packet Capture Is Showing Packets Have Arrived So I Can You Know Get That Visibility To Make Sure That That Port Forwarding Rule Or That There Is Just No Issue Between

So, In This Specific Video Tutorial That, We Had Here, We Were Thinking About Okay, Let's Use One Type Of Application Such As Vpn To A Specific Firewall And, Then We Have A Token That Is Associated With The Firewall Itself That We Use For A Second Factor Of Authentication But Let's Consider A Use Case Where We Maybe we have multiple Fortigates or different vendor firewalls, and we also have switches, access points, and multiple different network appliances in our networks, or even across different cities municipalities. In that case, we might want to consider something more centralized, so if we can place those same tokens but instead of being on a 40 gate, they're on something centralized like a network appliance. Things are going well, thanks for joining us, and we’ll see you in the next video.