This article discuss about failover scenarios of ACTIVE/PASSIVE with  Load Balancing Slave HA on Fortiauthenticator.




Configure A-P FAC cluster make sure that there are in synced.

When LB slave is configured it is necessary to point the HA config to MGMT IP of primary FortiAuthenticator.

The primary FortiAuthenticator will be the one to send the information of the MGMT IP of secondary FortiAuthenticator.


Reference for the configuration:


- PRIMARY FortiAuthenticator is dead.

- LB SLAVE will automatically communicate and synced to secondary FortiAuthenticator ( secondary FortiAuthenticator now will be the LB Master).


- PRIMARY FortiAuthenticator and LB SLAVE are dead. Both become defective.

- New LB SLAVE arrived (RMA) but still the PRIMARY FortiAuthenticator is still dead.

- It is necessary to configure the FAC LB SLAVE to sync to MGMT IP of the secondary FortiAuthenticator because the primary FortiAuthenticator is still dead.

- Why? It is necessary to do this because on this scenario the LB SLAVE is totally new unit (RMA) so it make sense that it is necessary to do configuration base on your current scenario.

- Where in, current scenario is the primary FortiAuthenticator is dead and the only FortiAuthenticator in possession is secondary.

There is then any choice, but to use the secondary FortiAuthenticator now as the LB MASTER


- New PRIMARY FortiAuthenticator arrived.

- Now just join this on the HA A-P cluster but make sure to set this unit as the slave FortiAuthenticator .

- Once joined on cluster the working FortiAuthenticator LB MASTER will automatically introduce the IP of the slave unit to the LB SLAVE.

- Two FortiAuthenticator MGMT IP again will be visible on LB slave.



- FortiAuthenticator PRIMARY is dead.

- SECONDARY FortiAuthenticator is UP.

- LB SLAVE got restarted/shutdown.

- Once LB SLAVE boot it will still be knowledgeable that the SECONDARY FortiAuthenticator is the LB MASTER.