Description
This article describes how to establish an ACTIVE – PASSIVE FortiAuthenticator cluster member with load-balancing slave.
Solution
PRIMARY FortiAuthenticator (High Priority) - Management interface IP 10.176.1.104 gateway is 10.176.2.86.
Secondary FortiAuthenticator (Low Priority) - Management interface IP 10.176.1.100 gateway is 10.176.2.86.
LOAD BALANCING SLAVE - Management interface IP 10.177.2.89 gateway is 10.47.7.254.
Primary FortiAuthenticator configuration.
High Availability Settings:
Secondary FortiAuthenticator configuration.
High Availability Settings:
Static Route configuration:
- Main use of the static route here is because it is necessary to make sure that the primary and secondary FortiAuthenticator will reach the Load Balancing slave via management interface.
- Just configure this on Primary FortiAuthenticator and it will sync that route configuration to secondary FortiAuthenticator.
- In GEO-HA if HA connection is traversing through firewalls, so keep in mind that UDP port 1194 should be opened.
Load Balancing Slave FortiAuthenticator configuration.
High Availability Settings:
- It is necessary to configure here the management IP address of the PRIMARY FortiAuthenticator.
- And after that it will automatically detect the management IP address of the SECONDARY FortiAuthenticator.
Static Route configuration:
- Static route is needed for the load balancing slave to reach the management IP address of the FortiAuthenticator PRIMARY and SECONDARY.
Result:
- The Load Balancing Slave is now communicating and syncing successfully with PRIMARY FortiAuthenticator.
- Then ones the Primary FortiAuthenticator is down, the Load Balancing Slave is connected with Secondary FortiAuthenticator.
