FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
lmarinovic
Staff
Staff
Article Id 191494

Description

 

This article describes the scope of a FortiAuthenticator HA cluster.

 

Scope

 

FortiAuthenticator.


Solution

 

FortiAuthenticator can work as a cluster offering redundancy and, in some configurations, balancing charges.
The configuration can be made on an L2 (Active/Passive) layer or an L3 (Active/Active) layer.

The following prerequisites must be achieved:

 

  • Two FortiAuthenticator devices of the same model and platform.
  • Both devices must run the same firmware version.
  • All HA participants must have a valid license.


Active/Passive:

 

  • One device operates in the primary role while the other operates as a backup in standby mode.
  • The backup device monitors the primary through an HA interface.
  • L2 communication is required between HA links. IPsec AES encrypts the connection. Heartbeat traffic is over port 720 UDP. The configuration is replicated every 2 seconds.
  • Failover takes 30 seconds. Authentications required during the failover are lost.
  •  Administrative access to the secondary device is achieved with a unique IP address. This access is required in order to change HA settings, perform a firmware upgrade or perform troubleshooting.
  • To access the HA management GUI IP of HA interface of both units, it is necessary to have a Workstation in the same subnet as the HA interface configured on the FortiAuthenticators.


Note: Backup units cannot allow configuration changes.


Active/Active (GEO HA):

 

  • An L3 connection is required.
  • A primary cluster can backup to another cluster.
  • Only the following features are synchronized on this mode: Tokens and seeds, Local and remote users, group mappings, and token and user mappings.

 

 

Related article:

Technical Tip: How to configure FortiAuthenticator HA A-P cluster.