acvaldez
Staff
Staff

Description


This article describes how to establish an ACTIVE – PASSIVE FortiAuthenticator cluster member with load-balancing slave.


Solution

 

PRIMARY FortiAuthenticator has management interface IP of 10.176.1.104 gateway is 10.176.2.86.
SECONDARY FortiAuthenticator has management interface IP of 10.47.6.89 gateway is 10.47.7.254.
LOAD BALANCING SLAVE IP 10.176.2.100 gateway is 10.176.2.86.
 
 
Primary FortiAuthenticator configuration.
 
High Availability Settings:
 
1.png

 

Secondary FortiAuthenticator configuration.
 
High Availability Settings:
 
2.png

 

Static Route configuration:
 
- Main use of the static route here is because it is necessary  to make sure that the primary and secondary FortiAuthenticator will reach the Load Balancing slave via management interface.
- Just configure this on Primary FortiAuthenticator and it will sync that route configuration to secondary FortiAuthenticator.
 
- In GEO-HA if HA connection is traversing through firewalls, so keep in mind that UDP port 1194 should be opened.
 
3.png

 

Load Balancing Slave FortiAuthenticator configuration.
 
High Availability Settings:
 
- It is necessary to configure here the management IP address of the PRIMARY FortiAuthenticator. 
- And after that it will automatically detect the management IP address of the SECONDARY FortiAuthenticator.
 
4.png

 

Static Route configuration:
 
- Static route is needed for the load balancing slave to reach the management IP address of the FortiAuthenticator PRIMARY and SECONDARY.
 
5.png

 

Result:
 
- The Load Balancing Slave is now communicating and syncing successfully with PRIMARY FortiAuthenticator.
- Then ones the Primary FortiAuthenticator is down, the Load Balancing Slave is connected with Secondary FortiAuthenticator.
 
6.png