This article describes the steps necessary to configure a FortiAuthenticator Layer 2 HA A-P cluster.
Before to start forming the HA cluster, take into consideration the below points and be aware of the following:
1) Properly design the subnets use for HA management interfaces and other network interfaces.
2) Important: Since the license key is bind to an IP address configured on the unit.
It is important to assign it to the HA interface IP address.
Otherwise, the slave node license will be unavailable due to IP overridden.
Simply overcome the license issue by modifying the license file of the secondary unit under the support portal by pointing it to the HA management interface of the slave unit and reupload it again to the slave.
3) Both FortiAuthenticator devices must be the same model and firmware version.
4) L2 communication is required between HA links.
5) Failover approximately happens 30 seconds after a failure.
6) All the configuration is synced except the HA settings and hostname.
Below is the Step-by-Step HA guide:
1) License Config:
After initial configuration, assign the license keys.
In this example, port4 is used to be the HA interface which the license is assigned to:
- FAC-Primary 172.16.0.1.
- FAC-Secondary 172.16.0.2.
6) - To access the HA management GUI IP of HA interface of both units, you need to have Workstation in the same subnet as the HA interface configured on the FACs.
Node-Specific Default Gateway is option if you have clusters in two different Datacenters and the default gateway for those datacenters is different. Then you need to configure that option to be correct gateway if failover occurs so that node has access to network.
If Node-Specific Default Gateway is set, that option will overwrite default gateway in the static routing of the Node and that will become new default gateway for whole Node.