Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDevSec
- FortiDeceptor
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiHypervisor
- FortiGuard
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- Re: Migration of Forti-Authenticator
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Migration of Forti-Authenticator
Hi Guys,
i have a forti-authenticator (FAC) thats currently hosted in a datacentre, on which my organisation is moving out of.
Now i have built a vanilla FAC in the new datacentre with with an eval license currently running on it.
An engineer which is assisting me with the project has made our production FAC and the new FAC into HA mode.
Production FAC = Standalone Master
New Vanilla FAC = Load Balancing Slave (different IP address, serial number)
Now we currently have 1500 users and tokens active, so the goal is to ensure we don't break them and force 1500 users to enrol again, which would be a pain.
Couple of questions:
1. Has the engineer who is assisting me, put the two FACs in the right HA mode? Should they be in Cluster Member Mode instead of Master/Slave HA mode?
2. i have pointed a test server and attempted to 2FA authenticate with the slave FAC and its not working. The Gen_Fac Host value has changed in the registry key for the server. Is this suffice information for the server to successfully authenticate OR are going about this the wrong way?
If there's anyone with high level steps on how we can successfully migrate the FAC into the new datacentre without disruption, i would really appreciate it, because we're not making any headway at this point in time.
Thanks,
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1: It depends on your goal, but cluster is act/stdby btw
2: Did you make the standby ACTIVE when you did your test
I would promote the standby active and do my test, I believe the eval license is going to be a issue if it does not match the current production unit.
Ken Felix
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ken,
Thanks for your reply.
The main goal is to not break the active tokens currently for the 1500 staff members.
The current production one will need to be blown away cause we're vacating that data centre for good.
My question is.
1. Are we in the right HA mode? Should the two facs being in cluster mode instead? So when the prod one is turned off. The other node kicks in?
Or is there more to it than that hence the engineer has chosen master/slave?
If I switch the slave to be active. How quick is it to roll back because I have VPN, untrusted remote access and 2FA authentication happening for IT admins across all our servers.
2. I'm going under the assumption that someone has conducted this task before (surely), but I heard the tokens are tied to the UUID of the VM of the FAC
3. Is the gen FAC value on the server the only thing that needs to be changed for a successful 2FA to happen for a server on the slave FAC.
Kindly correct me if I'm wrong.
Cheers
Den.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Den
A few comments:
- As emnoc pointed out, an eval license won't work because its user limits (10 users, i guess). So, before migration, try
to fix this to avoid headaches.
- HA active-passive is the only clustering mode which ensures full synchronization
If your networking scenario does not allow you this and you're forced to adopt active-active (master and load balance slave) you have to re-check your configuration because this mode cannot synchronize FSSO, certificates etc
As manual states, only below auth features are synchronized in this mode:
. Token and seeds . Local user database . Remote user database . Group mappings . Token and user mappings
Because of that, in our very particular scenario, we had to deal with this using Active-Passive and play with the network interfaces.
regards
/ Abel
regards
/ Abel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Abelio,
Apologies, I should of mentioned we have a Fortinet representative for our country that is evaluating the licensing situation. So we're aware of the limiting factor of users and limited days we have on it.
Whether it was the right approach on slapping an eval licence to obtain HA functionality. I'm not sure, since I'm not really involved in the process. Hence why I've reached out to you guys for guidance and advice.
I did read the manual yesterday. For the above reason you've stated is exactly why I am questioning if he's taken the correct method of HA with master/slave. So it does concern me if the engineer is not completely cutting over everything.
Thanks for all your help everyone.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You might want to review this post:
https://forum.fortinet.com/tm.aspx?m=163782
I had some issues when I moved from FAC-100D to FACVM.
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,742 -
FortiClient
1,775 -
5.2
801 -
FortiManager
736 -
5.4
639 -
FortiAnalyzer
563 -
FortiSwitch
476 -
FortiAP
474 -
FortiClient EMS
436 -
6.0
416 -
5.6
362 -
FortiMail
320 -
6.2
251 -
SSL-VPN
248 -
FortiAuthenticator v5.5
234 -
IPsec
212 -
FortiWeb
206 -
5.0
196 -
FortiNAC
190 -
FortiGuard
139 -
6.4
128 -
SD-WAN
117 -
FortiAuthenticator
105 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
98 -
FortiToken
92 -
Firewall policy
84 -
Customer Service
80 -
Wireless Controller
80 -
4.0MR3
64 -
FortiProxy
60 -
High Availability
56 -
FortiADC
54 -
Fortivoice
53 -
vlan
53 -
FortiEDR
52 -
ZTNA
49 -
Routing
47 -
FortiExtender
45 -
FortiSandbox
44 -
DNS
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
FortiGate v5.4
35 -
SAML
35 -
NAT
35 -
Certificate
35 -
FortiSwitch v6.4
34 -
RADIUS
34 -
SSO
33 -
Interface
31 -
FortiConnect
30 -
VDOM
30 -
FortiLink
29 -
FortiWAN
27 -
Application control
27 -
Web profile
27 -
FortiConverter
25 -
Logging
25 -
Virtual IP
25 -
FortiGate v5.2
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
Fortigate Cloud
20 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
FortiGate-VM
18 -
FortiMonitor
18 -
Traffic shaping
17 -
SSID
16 -
WAN optimization
16 -
FortiDDoS
15 -
OSPF
15 -
Automation
15 -
FortiGate v5.0
14 -
FortiSoar
14 -
Static route
14 -
System settings
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
SNMP
13 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
IPS signature
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
DNS filter
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
API
5 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
Replacement messages
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
TACACS
3 -
SDN connector
3 -
Service
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1733 | |
| 1106 | |
| 752 | |
| 447 | |
| 240 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.