Update: FortiOS 6.2.3 has been released!
Excellent news Fortinet resolved the issue with mobile token authentication for SSL-VPN. See the release notes. This is very good news!!
Fortigate FortiOS 6.2.2 – What you need to know!
Fortigate released FortiOS 6.2.2 (patch 2) at the end of October. The release of patch 2 was intended to mitigate an SSL-VPN vulnerability. Fortigate advised their customers to upgrade to patch 2. This is the Fortigate KB article
Unfortunately, after upgrading a Fortigate firewall to 6.2.2, SSL-VPN access which requires a FortiToken (second authentication) no longer works. This is mentioned in the release note for FortiOS 6.2.2. Therefore, I suggest that if your business requires FortiToken, you should not go through with this upgrade.
We have a client who is using FortiToken for SSL-VPN. They have a Fortigate 61E. After receiving the alert from our Swiss Fortigate distributor I suggested to the client to upgrade to 6.2.2. His Fortigate was still on FortiOS 6.0.5.
The story about FortiOS 6.2.2 (patch2)
The ugprade process went smoothly without encountering any issues. After the upgrade I did an SSL-VPN test. After entering the username and password I was prompted for the FortiToken. This is a mobile token generated by the FortiToken app on iOS or Android devices. However, the FortiToken was not accepted using FortiClient for MacOS or Windows. Even logging in via web to the VPN portal didn’t work. Before upgrading the FortiOS I had tested the SSL-VPN with FortiToken and faced no issues.
I called the Fortigate Swiss support and together we carried out several tests, but were just not able to figure out the issue. The technician opened a support ticket with Fortigate USA. The following day we received an answer from Fortigate quoting the release note for the patch.
Mobile token authentication does not work for SSL VPN on SOC3 platforms.
I had no choice but to tell the client that FortiToken was not working with this patch. I offered the client two solutions; either downgrade FortiOS or disable FortiToken until a fix is released. The client opted to wait for the next patch.
Fortigate has announced that they will be releasing FortiOS 6.2.3 in the coming weeks. But whether this patch will fix this particular problem is not yet known. We will just have to wait and see.
Don’t be blind! Read and re-read the release note! 🙂 On the other hand who would imagine that a new FortiOS release would disable FortiToken for SSL-VPN?!
Please see my article about FortiOS 6.2