FortiAuthenticator
FortiAuthenticator provides access management and single sign on.
acvaldez
Staff
Staff
Article Id 196922

Description


This article describes how to establish an ACTIVE – PASSIVE FortiAuthenticator cluster member with load-balancing slave.


Solution

 

PRIMARY FortiAuthenticator (High Priority) - Management interface IP 10.176.1.104 gateway is 10.176.2.86.

Secondary FortiAuthenticator (Low Priority) - Management interface IP 10.176.1.100 gateway is 10.176.2.86.

LOAD BALANCING SLAVE                                   - Management interface IP 10.177.2.89 gateway is 10.47.7.254.

 
 
Primary FortiAuthenticator configuration.
 
High Availability Settings:
 
1.png

 

Secondary FortiAuthenticator configuration.
 
High Availability Settings:
 
2.png

 

Static Route configuration:
 
- Main use of the static route here is because it is necessary  to make sure that the primary and secondary FortiAuthenticator will reach the Load Balancing slave via management interface.
- Just configure this on Primary FortiAuthenticator and it will sync that route configuration to secondary FortiAuthenticator.
 
- In GEO-HA if HA connection is traversing through firewalls, so keep in mind that UDP port 1194 should be opened.
 
3.png

 

Load Balancing Slave FortiAuthenticator configuration.
 
High Availability Settings:
 
- It is necessary to configure here the management IP address of the PRIMARY FortiAuthenticator. 
- And after that it will automatically detect the management IP address of the SECONDARY FortiAuthenticator.
 
4.png

 

Static Route configuration:
 
- Static route is needed for the load balancing slave to reach the management IP address of the FortiAuthenticator PRIMARY and SECONDARY.
 
5.png

 

Result:
 
- The Load Balancing Slave is now communicating and syncing successfully with PRIMARY FortiAuthenticator.
- Then ones the Primary FortiAuthenticator is down, the Load Balancing Slave is connected with Secondary FortiAuthenticator.
 
6.png
Contributors