FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
ocara
Staff
Staff
Article Id 365396
Description

This article outlines best practices for upgrading FortiAuthenticator clusters configured in load-balancing mode.

Scope

FortiAuthenticator Cluster Load-Balancing.

Solution

This article outlines best practices for upgrading a FortiAuthenticator cluster operating in Load-Balancing Mode. Unlike Active-Passive Clusters, Load-Balancing Mode does not support a Coordinated Upgrade process. Therefore, the upgrade must be performed individually for each participating node.

If a standalone node includes Active-Passive members, a Coordinated Upgrade might still be possible for that specific configuration.

 

Common Load-Balancing Scenarios:

The following scenarios are typical in Load-Balancing Mode deployments:

  • One Standalone Node + One Load-Balancer Node.
  • One Active-Passive Cluster (as a Standalone Node) + One Load-Balancer Node (connected to Primary).
  • One Standalone Node + Multiple Load-Balancer Nodes.
  • One Active-Passive Cluster (as a Standalone Node) + Multiple Load-Balancer Nodes (connected to Primary).

 

Recommended upgrade approach:

 

For clusters operating in Load-Balancing Mode, the recommended best practice is to start with the Standalone Node or the Standalone (Active-Passive) Cluster. Once the primary node upgrade is successfully completed, all services running on the FortiAuthenticator should be tested to ensure they function correctly with the new release. Upon successful verification, proceed with upgrading the Load-Balancer Nodes.

Services to Test: Authentication, LDAP, RADIUS, SAML, Multi-Factor Authentication, Portals, FSSO, and any other services running on the node.

 

Below is an example of a Load-Balancing Cluster upgrade from 6.5.3 to 6.5.6 GA:

 

Ensure the cluster is in a Healthy State, all nodes are Connected, and status indicators are Green. Record the Serial Numbers of the nodes participating in the cluster. For Virtual Nodes, take a snapshot of the virtual machines to facilitate rollback if needed. Verify the Upgrade Path and System Requirements using the Fortinet Official Guide.

 

Standalone Node Status connected to the Load-Balancer Node.

 1.png

 

Load-Balancer Node Status connected to the Standalone Node:

 

2.png

 

Access the Primary (Standalone Node) and navigate to Administration -> Firmware Upgrade. Select the firmware file downloaded from the Fortinet Portal for the upgrade.

 

3.png

 

After upgrading the Standalone Node, verify the status of all services running on the node and confirm that they are functioning correctly with the new release. Navigate to Dashboard -> HA Status: the Load-Balancer Node should appear as Connected, but the Heartbeat will no longer be recorded.

 

4.png

 

In the Debug Logs of the Primary Node (accessible at https://<FortiAuthenticator-IP>/debug), navigate to High Availability -> Load Balancing. There should be received messages indicating the setup of the OpenVPN Tunnel.

 

5.png

 

2024-12-16-08:50:55 LB Primary is starting

2024-12-16-08:52:14 Received JOIN request from # 3, setup openvpn tunnel

2024-12-16-08:52:34 Received JOIN request from # 3, setup openvpn tunnel

2024-12-16-08:52:54 Received JOIN request from # 3, setup openvpn tunnel

 

On the Load-Balancer Node, HA-Status should have a message showing a 'Version Mismatch' and the Heartbeat should be lost as well.

 

6.png

 

On the Debug Logs, a Schema Mismatch should be visible and tear down the OpenVPN tunnel.

 

7.png

 

2024-12-16-08:52:12 Loadbalancer: tunnel #1 has timed out (210 seconds) - tear down vpn tunnel

2024-12-16-08:52:12 Loadbalancer: destroy tunnel #1, pid=10028

2024-12-16-08:55:32 Join_ack: HA schema mismatch.

2024-12-16-08:55:52 Loadbalancer: Send join request to #1

2024-12-16-08:55:52 Loadbalancer: received join ack from #1

2024-12-16-08:55:52 Join_ack: HA schema mismatch.

 

If the services on the Standalone upgraded node are functioning correctly, proceed with the upgrade of the Load Balancer Node. Once completed, ensure that all components are healthy and in sync.

 

8.png

 9.png

 

Debug Logs from the primary node should show that the Load-Balancer node joined the cluster:

 

2024-12-16-09:06:50 Received JOIN request from # 3, setup openvpn tunnel

2024-12-16-09:06:58 LB device FAC-VMTXXXXXX has joined the HA cluster from 10.191.20.187

 

Debug Logs from the Load-Balancer should show the OpenVPN tunnel as UP, as well as the PID:

 

2024-12-16-09:06:48 Loadbalancer: Send join request to #1

2024-12-16-09:06:48 Loadbalancer: received join ack from #1

2024-12-16-09:06:48 Loadbalancer: setup openVPN tunnel #1, pid=3199

 

Note: If issues arise with syncing objects after the upgrade, try recalculating the checksums from the Standalone Node. For further guidance, refer to Technical Tip: How to configure FortiAuthenticator load-balancing cluster.

If the issue persists, submit a ticket with Fortinet Technical Support.