Description | This article describes how the Collector agent configured on the FortiGate is not designed to operate in an Active-Active setup. |
Scope | FortiGate |
Solution |
The Collector agent does not function in either Active-Passive or Active-Active setups. If one of the configured servers becomes unreachable, the FortiGate will try to reach the other server in the same fabric connector, if configured. Refer to this document for more details.
If different servers are configured monitoring the same domains in different FSSO fabric connectors, the group information is fetched from the first server. The second server will not display any group information, as it detects the groups as duplicates, as shown below. The logs will indicate that the groups already exist.
Capture the logs using the following
dia de reset dia de application authd -1 dia de console timestamp enable dia de en
_process_ad_info[AJCH-NEWDCS]: group Auth_group4 exists (vd=WAN)
If the environment includes multiple FSSO Collector Agents, all agents must be configured identically to ensure that user identity information is correctly sent to the FortiGates.
All settings for the FSSO Collector Agents must be configured manually, except for group filters and ignored user lists.
These parameters can be synchronized between one Collector Agent and others. Synchronization is accomplished using the 'Sync configuration with other agents' option (a button in the FSSO Collector Agent Configuration GUI). This option allows group filters and ignored user lists to be pushed from the source FSSO Collector Agent to all selected agents.
Related articles: |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.