FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Article Id 191494



This article describes the scope of a FortiAuthenticator HA cluster.







FortiAuthenticator can work as a cluster offering redundancy and, in some configurations, balancing charges.
The configuration can be made on an L2 (Active/Passive) layer or an L3 (Active/Active) layer.

The following prerequisites must be achieved:


  • Two FortiAuthenticator devices of the same model and platform.
  • Both devices must run the same firmware version.
  • All HA participants must have a valid license.



  • One device operates in the primary role while the other operates as a backup in standby mode.
  • The backup device monitors the primary through an HA interface.
  • L2 communication is required between HA links. IPsec AES encrypts the connection. Heartbeat traffic is over port 720 UDP. The configuration is replicated every 2 seconds.
  • Failover takes 30 seconds. Authentications required during the failover are lost.
  •  Administrative access to the secondary device is achieved with a unique IP address. This access is required in order to change HA settings, perform a firmware upgrade or perform troubleshooting.
  • To access the HA management GUI IP of HA interface of both units, it is necessary to have a Workstation in the same subnet as the HA interface configured on the FortiAuthenticators.

Note: Backup units cannot allow configuration changes.

Active/Active (GEO HA):


  • An L3 connection is required.
  • A primary cluster can backup to another cluster.
  • Only the following features are synchronized on this mode: Tokens and seeds, Local and remote users, group mappings, and token and user mappings.



Related article:

Technical Tip: How to configure FortiAuthenticator HA A-P cluster.