This article describes the behavior for queries from FortiGate to remote LDAP servers when ha-direct is enabled.

When HA-direct is enabled, FortiGate sends LDAP queries using the reserved management interface. See FortiOS Administration Guide: Out-of-band management

This applies to actual user authentication traffic as well as manually triggered credential checks using the CLI command 'diagnose test authserver'.

The ha-direct setting does not apply for connectivity or credential checks using the GUI. These requests are set in-band rather than using the reserved management interface.

GUI LDAP connectivity test:

In this example deployment, while testing from the GUI, the LDAP server appears inaccessible.

Testing the LDAP server from the GUI is treated as in-band traffic. The in-band interface for the LDAP server IP address '10.250.0.21' is the IPsec tunnel 'PRIVATE-CLOUD'. This is determined by a conventional routing table lookup.

FGT-A (root) # get router info routing-table details 10.250.0.21

Routing table for VRF=0
Routing entry for 10.250.0.0/20
Known via "static", distance 10, metric 0, best
* directly connected, PRIVATE_CLOUD

Because the remote side of the tunnel is not configured to allow the FortiGate to send traffic to 10.250.0.21 over this route, there is no response from the remote side during the connectivity check.

FGT-A (root) # diagnose sniffer packet any 'port 389' 4 1000
interfaces=[any]
filters=[port 389]
8.260146 PRIVATE_CLOUD out 10.253.200.1.24300 -> 10.250.0.21.389: syn 1077706988
9.176846 PRIVATE_CLOUD out 10.253.200.1.24301 -> 10.250.0.21.389: syn 3548561624
10.068548 PRIVATE_CLOUD out 10.253.200.1.24303 -> 10.250.0.21.389: syn 509744761

CLI LDAP credential check:

The FortiGate has the following sample configuration, including 'ha-mgmt-status enable' and 'ha-direct enable':

config system ha

set group-id 134
set group-name "FGT61F-cluster2"
set mode a-p
set hbdev "internal3" 40
set ha-mgmt-status enable
config ha-mgmt-interfaces

edit 1

set interface "wan2"
set gateway 10.250.99.1

next

end

set override disable
set priority 250
set ha-direct enable

end

With this configuration, FortiGate uses the reserved management interface 'wan2' to send authentication attempts to the LDAP server.

This can be checked with the 'diagnose test authserver' command as follows:

diagnose test authserver ldap "<LDAP server name>" user password

FGT-A (root) # diagnose test authserver ldap "LDAP" ldap-user ldap-password
authenticate 'ldap-user' against 'LDAP' succeeded!

FGT-A (root) #

A simultaneous packet sniffer shows the port 389 LDAP traffic exiting out the reserved HA management interface, wan2, as intended.

FGT-A (root) # diagnose sniffer packet any 'port 389' 4 1000
interfaces=[any]
filters=[port 389]
4.025007 wan2 out 10.250.99.37.9047 -> 10.250.0.21.389: syn 1671393557
4.025860 wan2 in 10.250.0.21.389 -> 10.250.99.37.9047: syn 1282429634 ack 1671393558
4.025936 wan2 out 10.250.99.37.9047 -> 10.250.0.21.389: ack 1282429635
4.026108 wan2 out 10.250.99.37.9047 -> 10.250.0.21.389: psh 1671393558 ack 1282429635
4.026694 wan2 in 10.250.0.21.389 -> 10.250.99.37.9047: ack 1671393572
4.027304 wan2 in 10.250.0.21.389 -> 10.250.99.37.9047: psh 1282429635 ack 1671393572
4.027331 wan2 out 10.250.99.37.9047 -> 10.250.0.21.389: ack 1282429649
4.027565 wan2 out 10.250.99.37.9047 -> 10.250.0.21.389: psh 1671393572 ack 1282429649
4.027622 wan2 out 10.250.99.37.9047 -> 10.250.0.21.389: fin 1671393579 ack 1282429649
4.028182 wan2 in 10.250.0.21.389 -> 10.250.99.37.9047: fin 1282429649 ack 1671393580
4.028217 wan2 out 10.250.99.37.9047 -> 10.250.0.21.389: ack 1282429650

Note:

If the LDAP server is remote from FortiGate's perspective and must be accessed over a non-physical interface (for example, an IPsec tunnel), ha-direct must be disabled in 'config system ha'. Since changing HA-direct can affect management access to the firewall as well as user traffic, depending on which features are in use, it is recommended to make any changes during a maintenance window and to have local access to the HA cluster during this time.