FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
lmarinovic
Staff
Staff
Article Id 191494

Description

 

This article describes the scope of a FortiAuthenticator HA cluster.

 

Scope

 

FortiAuthenticator.


Solution

 

FortiAuthenticator can work as a cluster offering redundancy and, in some configurations, balancing charges.
The configuration can be made on an L2 (Active/Passive) layer or an L3 (Active/Active) layer.

The following prerequisites must be achieved:

 

  • Two FortiAuthenticator devices of the same model and platform.
  • Both devices must run the same firmware version.
  • All HA participants must have a valid license.


Active/Passive:

 

  • One device operates in the primary role while the other operates as a backup in standby mode.
  • The backup device monitors the primary through an HA interface.
  • L2 communication is required between HA links. IPsec AES encrypts the connection. Heartbeat traffic is over port 720 UDP. The configuration is replicated every 2 seconds.
  • Failover takes 30 seconds. Authentications required during the failover are lost.
  •  Administrative access to the secondary device is achieved with a unique IP address. This access is required to change HA settings, perform a firmware upgrade, or perform troubleshooting.
  • To access the HA management GUI IP of the HA interface of both units, it is necessary to have a Workstation in the same subnet as the HA interface configured on the FortiAuthenticators.


Note: Backup units cannot allow configuration changes.


Active/Active (GEO HA):

 

  • An L3 connection is required.
  • A primary cluster can back up to another cluster.
  • Only the following features are synchronized in this mode: Tokens and seeds, Local and remote users, group mappings, and token and user mappings.

 

Starting in firmware version 6.6, more configurations can be synchronized. This is optional, the settings are available under System -> Administration -> High Availability on the primary node. By default, the synchronization behavior is the same as in v6.5 and earlier.

 

  • General troubleshooting methods:


execute tcpdump -i <HA-heartbeat-port> port 720 on CLI with tcpdump, filtering port 720 UDP (heartbeat traffic).

 

Running the capture generates output similar to the following:

 

execute tcpdump -i port3 port 720
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on port3, link-type EN10MB (Ethernet), snapshot length 262144 bytes
14:20:29.130045 IP 169.254.0.1.720 > helium-san.fortilab.net.720: UDP, length 200
14:20:29.455460 IP 169.254.0.2.720 > helium-san.fortilab.net.720: UDP, length 200
14:20:30.137985 IP 169.254.0.1.720 > helium-san.fortilab.net.720: UDP, length 200
14:20:30.452354 IP 169.254.0.2.720 > helium-san.fortilab.net.720: UDP, length 200

 

 

Related article:

Technical Tip: How to configure FortiAuthenticator HA A-P cluster