FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
Hawada1
Staff
Staff
Article Id 191446

Description


This article describes how to configure a FortiAuthenticator Layer 2 HA A-P cluster.

Solution

  1. Before forming the HA cluster, take into consideration the below points and be aware of the following:
    Properly design the subnets use for HA management interfaces and other network interfaces.
  2. Important: Since the license key is bind to an IP address configured on the unit.
    It is important to assign it to the HA interface IP address.Otherwise, the slave node license will be unavailable due to IP overridden. Simply overcome the license issue by modifying the license file of the secondary unit under the support portal by pointing it to the HA management interface of the slave unit and reupload it again to the slave.
  3. Both FortiAuthenticator devices must be the same model and firmware version.
  4. L2 communication is required between HA links.
  5. Failover approximately happens 30 seconds after a failure.
  6. All the configuration is synced except the HA settings and hostname.

Below is the Step-by-Step HA guide:

  1. License Config:
    After initial configuration, assign the license keys.

In this example, port4 is used to be the HA interface which the license is assigned to:

  • FAC-Primary 172.16.0.1.
  • FAC-Secondary 172.16.0.2.


 
 
Then select 'License File Download'.
Upload the license file by going to System -> Administration -> Licensing and selecting 'OK':
 
 
 
 
After adding the license key, FortiAuthenticator will reboot automatically.
Perform the same steps on the secondary unit.
 
A License Warning message will be received after accessing the units since the IP address bound to the license is not configured yet on the HA management interface.
This can be temporarily ignored at this step.
 

 
 
  1. Configure High Availability Settings on the Primary unit.

Under System -> Administration -> High Availability and enable HA.

  • For the Role select Cluster member for L2 cluster
  • Maintenance Mode leaves it Disabled.
  • Interface select Port4.
  • Cluster member IP address type the IP address that was bind to the license key '172.16.0.1'.
  • Priority selects High for Primary and Low for Slave.
  • Type any password but make sure to be the same on both units. Otherwise, the HA will not be formed.
  •  Select the Monitor interfaces to monitor to trigger failover in case one of them fails.
 
After configuring all these steps select 'OK'.
 lmarinovic_1-1673887279264.png
 
  1. User Inventory.
    After adding the license and configure the HA management IP address, make sure that all limitations of trial license have been removed by checking User Inventory in the status dashboard.
If license not reflected correctly, just reload the unit.
 
 
  1. Configure High Availability Settings on the Secondary unit:
 
lmarinovic_2-1673887382879.png

 

 
 
  1. HA Status.
    Wait few minutes to makes sure that all the configuration has been synced then check HA Status.
See the below result with a green check mark under Health status:
 
 

 

  1. To access the HA management GUI IP of HA interface of both units, you need to have Workstation in the same subnet as the HA interface configured on the FACs.

Node-Specific Default Gateway is an option if there are clusters in two different data centers and the default gateway for those data centers is different. Then you need to configure that option to be the correct gateway if failover occurs so that the node has access to the network.

If Node-Specific Default Gateway is set, that option will overwrite the default gateway in the static routing of the Node and that will become the new default gateway for whole Node. Be carful with Node-Specific Default Gateway as it may lead to routing issues, especially after failover or failover to primary again.

 

From 6.6.0 you have the option to choose what will be the default gateway, node-specific gateway will be only used if the Override Static Routing setting is selected:

 

forKB.JPG

 

In the CLI Node Specific Gateway is ns-gw under the 'config system ha' setting:

 

set ns-gw <gateway> <----- Set a default gateway for the HA management interface.

 

Related documents:

6.6.0 CLI commands

Technical Tip: FortiAuthenticator HA cluster overview