FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
hazim
Staff
Staff
Article Id 247950
Description

This article describes the traffic behavior when testing the LDAP credential using GUI and CLI with HA-Direct enabled .

Scope FortiGate version 6.4, 7.0, and 7.2 above.
Solution

In FortiGate, it is possible to test LDAP credentials via GUI and CLI.

If HA-Direct is enabled, the traffic for LDAP should go to the management port configured in the HA. But in the FortiGate design, there are differences in traffic behavior if using test credentials in GUI and CLI.

 

In the example below, port4 is the management port, and port3 is the traffic port with HA-Direct enabled

 

By design, it is expected traffic flow to go through port3 if tested using GUI: 

 

hazim_1-1677810946954.png

- LDAP configuration example:

 

hazim_0-1677810886031.png

 

- If the user credentials are tested via GUI, it is possible to see in the debug, the traffic using port3 which is port3 is the actual port for traffic even after HA-Direct is enabled. 


hazim_3-1677811156210.png

 

But in the real environment, with the HA- Direct enabled, the expected LDAP traffic will be using a management port for communication which same behavior if it is tested via CLI for user test credentials as below:

 

hazim_4-1677811716613.pnghazim_5-1677811732781.png

 

hazim_5-1677811732781.png

 

In conclusion, if  HA-Direct is enabled, the traffic will always go through the management port configured in the HA. It is by design the GUI test credential will be using the actual traffic port instead of the management port. For troubleshooting and testing, it is recommended to use CLI test user credentials to get accurate traffic flow results.

Contributors