Created on
10-05-2017
07:09 PM
Edited on
07-11-2023
03:10 AM
By
Stephen_G
Description
This article describes the scope of a FortiAuthenticator HA cluster.
Scope
FortiAuthenticator.
Solution
FortiAuthenticator can work as a cluster offering redundancy and, in some configurations, balancing charges.
The configuration can be made on an L2 (Active/Passive) layer or an L3 (Active/Active) layer.
The following prerequisites must be achieved:
- Two FortiAuthenticator devices of the same model and platform.
- Both devices must run the same firmware version.
- All HA participants must have a valid license.
Active/Passive:
- One device operates in the primary role while the other operates as a backup in standby mode.
- The backup device monitors the primary through an HA interface.
- L2 communication is required between HA links. IPsec AES encrypts the connection. Heartbeat traffic is over port 720 UDP. The configuration is replicated every 2 seconds.
- Failover takes 30 seconds. Authentications required during the failover are lost.
- Administrative access to the secondary device is achieved with a unique IP address. This access is required in order to change HA settings, perform a firmware upgrade or perform troubleshooting.
- To access the HA management GUI IP of HA interface of both units, it is necessary to have a Workstation in the same subnet as the HA interface configured on the FortiAuthenticators.
Note: Backup units cannot allow configuration changes.
Active/Active (GEO HA):
- An L3 connection is required.
- A primary cluster can backup to another cluster.
- Only the following features are synchronized on this mode: Tokens and seeds, Local and remote users, group mappings, and token and user mappings.
General troubleshooting methods:
- Perform # tcp dump sniffer on CLI with tcpdump, filtering port 720 UDP (heartbeat traffic).
- Look into detailed logs in FortiAuthenticator’s GUI: https://<fac_ip>/debug/slony.
- Collect report.dbg and send logs to TAC support for further analysis.
Technical Tip: How to configure FortiAuthenticator HA A-P cluster.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.