Public/Enable-PushNotifcations.ps1

Function Enable-PushNotifications {
    <#
    .Description
    Enable Push Notifications for Fortitokenson a Public Interface
 
    .Parameter UnusedPort
    <1-65535> Specify a port not used on the WAN interface for the given WAN IP.
 
    .Parameter WanInterfaceName
    Specify the Name of the Wan Interface
 
    .Parameter WanIP
    WAN IP within the range of the chosen Wan Interface
 
    .Example
 
    $Params = @{
        UnusedPort = "26357"
        WanInterfaceName = "port1"
        WanIP = "1.1.1.1"
    }
 
    Enable-PushNotifications @params
 
    .Example
    This example generates and SSH session and invokes the output of this function against that sessions.
 
    New-SSHSession -computername 192.168.0.1
 
    $Params = @{
        UnusedPort = "26357"
        WanInterfaceName = "port1"
        WanIP = "1.1.1.1"
    }
    $command = Enable-PushNotifications @params
 
    $result = Invoke-SSHCommand -Command $command -SessionId 0
    $result.output
 
    .Example
    This example generates multiple SSH sessions and invokes the output of this function against all active sessions.
 
    New-SSHSession -computername 192.168.0.1
    New-SSHSession -computername 192.168.1.1
 
    $Params = @{
        UnusedPort = "26357"
        WanInterfaceName = "port1"
        WanIP = "1.1.1.1"
    }
    $command = Enable-PushNotifications @params
 
    $sessions = Get-SSHSession
    foreach ($session in $sessions) {
        Write-Output "Invoking Command against $session.host"
        $result = Invoke-SSHCommand -Command $command -SessionId $session.sessionID
        $result.output
    }
 
    .Notes
    https://kb.fortinet.com/kb/documentLink.do?externalID=FD48702
    https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/183204/ssl-vpn-with-fortitoken-mobile-push-authentication
 
    * There must be at least one administrator account with no trusted hosts configured:
    * The FortiGate checks trusted host settings before allowing incoming traffic.
    * This also applies to push notification responses.
    * If no administrator without trusted hosts exists, the push response is denied and fails
    * An administrator account with no privileges at all is sufficient to this end.
 
    * If the FortiGate with push notification enabled is behind a router/other firewall that performs NATing, then a virtual IP/port forwarding must be configured on that unit to allow responses to reach the FortiGate.
    * The FortiGate’s server-ip must be set to the same IP the edge firewall/router allows the inbound traffic on.
 
    .Link
    https://github.com/TheTaylorLee/AdminToolbox/tree/master/docs
    #>


    [CmdletBinding()]
    Param (
        [Parameter(Mandatory = $True)]$UnusedPort,
        [Parameter(Mandatory = $True)]$WanInterfaceName,
        [Parameter(Mandatory = $True)][ValidatePattern('^[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}[.]{1}[0-9]{1,3}$')]$WanIP
    )

    $pass = Read-Host "Provide a password for an unprivileged admin. This is required for Push Notifications to be enable. One admin account must not have 2fa enabled. (Password)"

    Write-Output "
#Enable SSL Client VPN Push Notifications
config system accprofile
    edit no_access
        set system-diagnostics disable
    next
end
 
edit FTMAdmin
        set accprofile 'no_access'
        set comments 'For Fortitokens Do Not Disable!!!!!! The FortiGate checks trusted host settings before allowing incoming traffic. This also applies to push notification responses. If no administrator without trusted hosts exists, the push response is denied and fails.'
        set password ""$pass""
    next
end
 
config system ftm-push
    set server-ip $WanIP
    set server-port $UnusedPort
    set status enable
end
 
config system interface
    edit ""$WanInterfaceName""
        set allowaccess ftm
    next
end
"

}