Public/Enable-PushNotifcations.ps1
|
Function Enable-PushNotifications { <# .Description Enable Push Notifications for Fortitokenson a Public Interface .Parameter UnusedPort <1-65535> Specify a port not used on the WAN interface for the given WAN IP. .Parameter WanInterfaceName Specify the Name of the Wan Interface .Parameter WanIP WAN IP within the range of the chosen Wan Interface .Example $Params = @{ UnusedPort = "26357" WanInterfaceName = "port1" WanIP = "1.1.1.1" } Enable-PushNotifications @params .Example This example generates and SSH session and invokes the output of this function against that sessions. New-SSHSession -computername 192.168.0.1 $Params = @{ UnusedPort = "26357" WanInterfaceName = "port1" WanIP = "1.1.1.1" } $command = Enable-PushNotifications @params $result = Invoke-SSHCommand -Command $command -SessionId 0 $result.output .Example This example generates multiple SSH sessions and invokes the output of this function against all active sessions. New-SSHSession -computername 192.168.0.1 New-SSHSession -computername 192.168.1.1 $Params = @{ UnusedPort = "26357" WanInterfaceName = "port1" WanIP = "1.1.1.1" } $command = Enable-PushNotifications @params $sessions = Get-SSHSession foreach ($session in $sessions) { Write-Output "Invoking Command against $session.host" $result = Invoke-SSHCommand -Command $command -SessionId $session.sessionID $result.output } .Notes https://kb.fortinet.com/kb/documentLink.do?externalID=FD48702 https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/183204/ssl-vpn-with-fortitoken-mobile-push-authentication * There must be at least one administrator account with no trusted hosts configured: * The FortiGate checks trusted host settings before allowing incoming traffic. * This also applies to push notification responses. * If no administrator without trusted hosts exists, the push response is denied and fails * An administrator account with no privileges at all is sufficient to this end. * If the FortiGate with push notification enabled is behind a router/other firewall that performs NATing, then a virtual IP/port forwarding must be configured on that unit to allow responses to reach the FortiGate. * The FortiGate’s server-ip must be set to the same IP the edge firewall/router allows the inbound traffic on. .Link https://github.com/TheTaylorLee/AdminToolbox/tree/master/docs #> [CmdletBinding()] Param ( [Parameter(Mandatory = $True)]$UnusedPort, [Parameter(Mandatory = $True)]$WanInterfaceName, [Parameter(Mandatory = $True)][ValidatePattern('^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}$')]$WanIP ) $pass = Read-Host "Provide a password for an unprivileged admin. This is required for Push Notifications to be enable. One admin account must not have 2fa enabled. (Password)" Write-Output " #Enable SSL Client VPN Push Notifications config system accprofile edit no_access set system-diagnostics disable next end edit FTMAdmin set accprofile 'no_access' set comments 'For Fortitokens Do Not Disable!!!!!! The FortiGate checks trusted host settings before allowing incoming traffic. This also applies to push notification responses. If no administrator without trusted hosts exists, the push response is denied and fails.' set password ""$pass"" next end config system ftm-push set server-ip $WanIP set server-port $UnusedPort set status enable end config system interface edit ""$WanInterfaceName"" set allowaccess ftm next end " } |