Technical Tip: Understanding LDAP Routing Behavior in FortiGate HA Direct Environments
| Description | This article describes that in a FortiGate environment with the HA Direct feature enabled, sensitive authentication traffic is properly routed through a dedicated MGMT (management) interface, while other LDAP query traffic (e.g., periodic user synchronization) attempts to communicate through a service interface (e.g., x1). |
| Scope | FortiGate. |
| Solution | Symptoms.
Cause. This behavior is normal and occurs because FortiGate routes traffic depending on whether it's for an authentication task or not.
Authentication traffic for administrative access is routed via the MGMT interface based on the ha-direct priority. This ensures management access regardless of the HA cluster's status.
Other LDAP query traffic, like periodic background processes initiated by the FortiGate, does not follow the ha-direct priority and instead uses the regular routing table, which sends it out through a service interface.
If FortiGate only needs to query the LDAP server during a login event: Disable the user-info function in the LDAP server object to stop periodic LDAP queries. In the user LDAP, use the following command:
config user ldap edit "LDAP-Server-Name" set user-info disable next end
This setting will cause the FortiGate to query the LDAP server only when a login event occurs, reducing background traffic.
Note: If user-info is kept enabled (the default), administrator authentication will still function correctly even if traffic leaving the service interface is ignored.
Related articles: |