Description |
This article describes the traffic behavior when testing the LDAP credential using GUI and CLI with HA-Direct enabled . |
Scope | FortiGate version 6.4, 7.0, and 7.2 above. |
Solution |
In FortiGate, it is possible to test LDAP credentials via GUI and CLI. If HA-Direct is enabled, the traffic for LDAP should go to the management port configured in the HA. But in the FortiGate design, there are differences in traffic behavior if using test credentials in GUI and CLI.
In the example below, port4 is the management port, and port3 is the traffic port with HA-Direct enabled
By design, it is expected traffic flow to go through port3 if tested using GUI:
- LDAP configuration example:
- If the user credentials are tested via GUI, it is possible to see in the debug, the traffic using port3 which is port3 is the actual port for traffic even after HA-Direct is enabled.
But in the real environment, with the HA- Direct enabled, the expected LDAP traffic will be using a management port for communication which same behavior if it is tested via CLI for user test credentials as below:
In conclusion, if HA-Direct is enabled, the traffic will always go through the management port configured in the HA. It is by design the GUI test credential will be using the actual traffic port instead of the management port. For troubleshooting and testing, it is recommended to use CLI test user credentials to get accurate traffic flow results. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.