Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mturic
Staff & Editor
Staff & Editor

Created on ‎09-11-2019 02:11 AM Edited on ‎06-26-2025 12:13 AM By Moderator

Article Id 194689

Technical Tip: FSSO Collector Agent failover configuration

Description


This article describes how to configure a redundant FSSO configuration with a Collector Agent.

 

Scope

 

FortiGate.

Solution


In this scenario, two DCs will be used: DC01 and DC02. Both Domain Controllers have FSSO Collector Agent installed.  By design, only one FSSO collector agent is connected per FortiGate unit at a time.

DC01:

 

 
DC02:
 
  
The FortiGate configuration is shown below, with differences between firmware versions. Starting from firmware version 6.0.0 onwards, the FSSO configuration was moved from 'User & Device' to 'Security Fabric'. Before v6.0, the GUI would show in bold the active Collector Agent IP address. This is not available from v6.0 onward.

Configuration on v5.2, v5.4, v5.6:
 
 
 

Configuration on v6.0, v6.2:

 


 

 

Simulating a failover:
A failover can be simulated by stopping or restarting the FSSO service on the primary Collector Agent, in this example, DC01:

 

JeanPhilippe_P_0-1750921930527.png


The FortiGate then switches to the next FSSO collector agent specified in the configuration. In versions before v6.0, the switch is noticed with the bolded IP address shown:

 

 

In CLI, the configuration is as follows:

 

config user fsso
    edit "fsso"
       set server "10.0.0.10"
       set password *********
       set server2 "10.0.0.11"
       set password2 *********
    next
end

 

Check the FSSO server connection status with the following CLI commands:

 

diagnose debug enable
diagnose debug authd fsso server-status

Server Name                          Connection Status     Version               Address
-----------                          -----------------     -------               -------
fsso                                 connected             FSSO 5.0.0278         10.0.0.10
After a failover the IP address would then change, so you can always trace the currently connected collector:
Server Name                          Connection Status     Version               Address
-----------                          -----------------     -------               -------
fsso                                 connected             FSSO 5.0.0278         10.0.0.11


Note:

  • The user databases and configurations to create these (monitored events, monitored DCs) must be the same. DCAgents and TSAgents pointing to the Collector Agent MUST point to all configured Collectors. This applies to the FortiAuthenticator in a collector role as well.
  • If there is fail over from one Collector to another and the user information is different, then apart from the reason for the failover, production might be impacted as some users suddenly become unknown to the FortiGate. 
  • If all the FSSO configuration and agent connectivity is correct but the failover is failing, please retype the password next to each IP address configured in the FSSO external connector.

 

Related article:
Troubleshooting Tip: FSSO Complete troubleshooting for TAC tickets

12921
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.