Enable MFA on FortiGate Firewalls for No Additional Cost
Are you looking to enable multi-factor authentication (MFA) on your FortiGate firewall at no cost? Well, you’ve certainly come to the right place! While there are many alternative MFA solutions that one can deploy on a FortiGate firewall for VPN authentication, below I will describe the required steps to configure MFA over email at no additional cost to your organization.
Note that while this MFA method may provide your organization with an added layer of security, email communications may be prone to interception by which potential intruders can obtain the authorization codes for their own malicious use. It is therefore highly recommended to utilize more secure MFA methods whenever possible.
1. Configure SMTP Settings
Let’s begin by configuring the SMTP settings on the firewall. This is a critical step that should not be overlooked or disregarded as it allows for the firewall to send the MFA authorization tokens via email to your VPN users.
- Sign into your organization’s FortiGate management portal as a system administrator.
- In the left navigation pane, navigate to “System” and then “Settings”.
- Scroll down the page and locate the “Email Service” section.
In our above noted example, I am using a licensed O365 mailbox account which I’ve designated as the email address to be used for all outbound MFA communications. I specified both the SMTP server address and port to point to Microsoft’s SMTP server and enabled authentication. Next, enter your chosen email address and password. If you’re using an O365 hosted email address, be sure to select “STARTTLS” as your security mode. Finally, configure the “Default Reply To” email address with a mailbox that is actively monitored. In our example, I am utilizing a single address for both outbound emails and replies but that is certainly not a requirement.
2. Configure MFA via CLI
While FortiGate offers this service free of charge, it does not make this feature available within its management graphical user interface (GUI). Instead, you will need to execute a few short lines of code via the CLI to enable MFA for both VPN user and system administrator accounts.
- Click on the “>_” button on the upper right-hand corner of the management portal.
Next, reference the below CLI snippets to implement MFA over email on the user and/or system administrator level. Simply tweak the code below to best match your desired configuration and execute within FortiGate’s CLI.
Use caution when enabling MFA on a system administrator account. It is highly recommended that you maintain access through a secondary system administrator account before proceeding with testing and implementation. Failure to do so may lock you out of your account!
Enable MFA for a VPN User Account. | Enable MFA for a System Administrator Account. |
config user local edit username set two-factor email set email-to [email protected] end | config system admin edit administrator set accprofile “super_admin” set two-factor email set email-to [email protected] end |
3. Confirm MFA Implementation
Once you’ve enabled MFA via the CLI for the respective user(s), navigate to “User Authentication” and then “User Definition” and confirm that the user’s email address is visible within the “Two Factor Authentication” column.
Next, click on the user’s VPN account and confirm that “Two Factor Authentication” is toggled on and that the “Authentication Type” is configured to “Email based two-factor authentication” as shown in below example. If all checks in, your work on the firewall management portal is now complete.
4. VPN User Experience
Next we’ll review the end user’s experience post MFA implementation. Note that there is no additional configuration required on the end user’s FortiClient VPN application. Simply have the user open their FortiClient VPN application, enter their user credentials and click “Connect”.
Note that the user will now be prompted for a token entry to proceed with the authentication process. Have the user enter the authorization token sent to their email in the “Token” field and click “OK” to establish the VPN connection.