Refer to the exhibits.
GUI Access -
Configuration -
Topology -
An administrator has configured a FortiGate and FortiAuthenticator for two-factor authentication with FortiToken push notifications for their SSL VPN login. Upon initial review of the setup, the administrator has discovered that the customers can manually type in their two-factor code and authenticate but push notifications.
Based on the information given in the exhibits, what must be done to fix this?
For push notifications to function properly, the FortiToken Mobile (FTM) access protocol must be enabled on the FortiGate interface that is handling the push notification responses. According to Fortinet's technical requirements, the FTM service must be allowed on the interface that receives these responses. Therefore, enabling FTM access on FG-1 port1 will resolve the issue.
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiToken-Push-on-FortiAuthenticator-operation/ta-p/190810 The 'Public IP/FQDN for FortiToken Mobile' needs to be set to a reachable ip for FortiToken APP access. Assuming there is NAT involved it needs to be changed to FG-1 port1 ip. ISP Router port1 IP is definitely wrong in any case.
B is correct
FTM allow access must be enabled, so A is correct https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiToken-mobile-push-notification/ta-p/195578 Requirements for FTM push to work properly " 1) The FTM service must be allowed on the FTM response receiving interface # config system interface edit <name> set allowaccess ftm next end " Nethertheless C is correct, too ;-) I am confused: On same doc: " Note: server-ip : The server IP address is the FortiGate's public IP or public IP address of device which is upstream and forwarding the push notification responses towards FortiGate. (This command is not supported from 6.4.10 onwards). server : This can be public IP or Domain name(which resolved to FortiGate's Public IP).This option is not available on 6.4.9 and below "
This one is tricky because answers present configurations relevant to Fortitokens with Push notifications when FTKs are registered to the FORTIGATE itself, not the FAC. This relates to answers A and C - so if FTKs were configured on the FGT itself, then A and C would have to be fixed, and then question would ask for 2 answers, not one. But here FTKs are created/registered on the FORTIAUTHENTICATOR and such set up works everywhere, even when the perimeter firewall before FAC is NOT Fortigate, but Checkpoint/Juniper/Cisco ASA. So A & C are excluded as not impacting tokens located on the FAC. So the D is correct, because this configure IP should always be PUBLIC one that clients on the Internet can reach from their homes/hotels/etc. This is the IP FAC sends to the Forticlient telling him "Connect to this IP and port". Therefore it should be fixed to IP on the perimtere (here FGT) firewall.
https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiToken-Push-on-FortiAuthenticator-operation/ta-p/190810 Correct answer is C
100.64.1.41 is private ip and hence token push will not work as all fortitoken send request to public ip only.
A. https://community.fortinet.com/t5/FortiGate/Technical-Tip-FortiToken-mobile-push-notification/ta-p/195578
Change my answer to D. https://community.fortinet.com/t5/FortiAuthenticator/Technical-Tip-FortiToken-Push-on-FortiAuthenticator-operation/ta-p/190810