In short, you are able to use the same account for admin or VPN access on multiple firewalls with the same Fortitoken. All firewalls must be registered under the same Fortinet support account.
If you are adding a new firewall to the environment, the only real change that we need to make is in the FortiIdentity cloud portal. We needed to go under Applications then FortiProducts and associate the new firewall to the same authentication realm as the original firewall. This must be done with the primary root admin account. There are “products” for both the FortiGate Admin and FortiGate root which need associated with the same realm. Root is for VPN accounts and Admin is for the local administrators.
Now with everything under the same realm, we can use the same account on both firewalls with the same FortiToken already assigned and provisioned. So this saves on licensing and makes account management a bit easier. I was able to test this using my VPN account which exists on both firewalls and I am able to authenticate to both using my existing Fortitoken on my phone.
We do have to ensure that if the same account is to be used on both FortiGates, whether it be an admin or VPN user, that the account is created on that local firewall with the same credentials and then FortiToken is checked there. That will sync it to the cloud, and if previously setup, there is nothing more with Fortitoken that needs done on that user’s phone.