|
Symptoms.
-
The ha-direct feature is enabled on a FortiGate HA cluster.
-
When an administrator logs in, LDAP traffic is routed through the MGMT interface.
-
Background LDAP processes initiated by the FortiGate (e.g., user synchronization or status checks) try to communicate via a regular service interface.
Cause.
This behavior is normal and occurs because FortiGate routes traffic depending on whether it's for an authentication task or not.
Authentication traffic for administrative access is routed via the MGMT interface based on the ha-direct priority. This ensures management access regardless of the HA cluster's status.
Other LDAP query traffic, like periodic background processes initiated by the FortiGate, does not follow the ha-direct priority and instead uses the regular routing table, which sends it out through a service interface.
If FortiGate only needs to query the LDAP server during a login event:
Disable the user-info function in the LDAP server object to stop periodic LDAP queries.
In the user LDAP, use the following command:
config user ldap
edit "LDAP-Server-Name"
set user-info disable
next
end
This setting will cause the FortiGate to query the LDAP server only when a login event occurs, reducing background traffic.
Note:
If user-info is kept enabled (the default), administrator authentication will still function correctly even if traffic leaving the service interface is ignored.
Related articles:
Technical Tip: FortiGate uses different interfaces for GUI and CLI LDAP test when ha-direct is enabl...
Technical Tip: How to stop automatic LDAP connection attempt from the FortiGate toward the LDAP serv...
|
