FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmharini
Staff
Staff
Article Id 367359
Description This article describes how the Collector agent configured on the FortiGate is not designed to operate in an Active-Active setup.
Scope FortiGate
Solution

The Collector agent does not function in either Active-Passive or Active-Active setups. If one of the configured servers becomes unreachable, the FortiGate will try to reach the other server in the same fabric connector, if configured. Refer to this document for more details.

 

If different servers are configured monitoring the same domains in different FSSO fabric connectors, the group information is fetched from the first server. The second server will not display any group information, as it detects the groups as duplicates, as shown below. The logs will indicate that the groups already exist.

 

FSSO-AD-status (1) (1).jpg

 

Capture the logs using the following authd daemon, and observe similar output to the following:

 

dia de reset

dia de application authd -1

dia de console timestamp enable

dia de en

 

 _process_ad_info[AJCH-NEWDCS]: group Auth_group4 exists (vd=WAN)
 _process_ad_info[AJCH-NEWDCS]: group FortiGate_group exists (vd=WAN)
 _process_ad_info[AJCH-NEWDCS]: group FortiAuth_group2 exists (vd=WAN)
 _process_ad_info[AJCH-NEWDCS]: group Auth_group3 exists (vd=WAN)

 

If the environment includes multiple FSSO Collector Agents, all agents must be configured identically to ensure that user identity information is correctly sent to the FortiGates.

 

All settings for the FSSO Collector Agents must be configured manually, except for group filters and ignored user lists.

 

These parameters can be synchronized between one Collector Agent and others. Synchronization is accomplished using the 'Sync configuration with other agents' option (a button in the FSSO Collector Agent Configuration GUI).

This option allows group filters and ignored user lists to be pushed from the source FSSO Collector Agent to all selected agents.

 

Related articles:

Contributors