Fortinet white logo
Fortinet white logo

Administration Guide

Administration

Administration

Configure administrative settings for the FortiAuthenticator device.

System access

To adjust system access settings, go to System > Administration > System Access. The Edit System Access Settings page will open.

The following settings are available:

Administrative Access
Require strong cryptography Enable this option to restrict administrative access using stronger cryptographic algorithms, such as TLS 1.2, DHE, AES, and SHA256.
Enable pre-authentication warning message Pre-authentication warning messages can be found under Authentication > Self-service Portal > Replacement Messages.
CLI Access
CLI idle timeout Enter the amount of time before the CLI times out due to inactivity, from 0 to 480 minutes (maximum of eight hours).
GUI Access
GUI idle timeout Enter the amount of time before the GUI times out due to inactivity, from 1 to 480 minutes (maximum of eight hours).
Maximum HTTP header length Enter the maximum HTTP header length, from 4 to 16 KB.
HTTPS Certificate Select an HTTPS certificate from the dropdown menu.
HTTP Strict Transport Security (HSTS) Expiry Enable or disable HSTS enforcement, to avoid SSL sniffing attacks, and set an expiry from 0 to 730 days (where 0 means no expiry, maximum of two years). The default is set to 180.
Certificate authority type Select the selected certificate’s authority type, either Local CA or Trusted CA.
CA certificate that issued the server certificate Select the issuing server certificate from the dropdown menu.
Additional allowed hosts/domain names Specify any additional hosts that this site can serve, separated by commas or line breaks.
Public IP/FQDN for FortiToken Mobile

Enter the IP, or FQDN, of the FortiAuthenticator for external access.

The mobile device running the FortiToken Mobile app requires access to the FortiAuthenticator interface for push to operate.

Enter the IPs/FQDNs in the following format:
ip_addr[:port] or FQDN[:port]

Select OK to apply any changes. See Certificate management for more information about certificates.

High availability

Multiple FortiAuthenticator units can operate as an high availability (HA) cluster to provide even higher reliability.

There are three HA roles:

  1. Cluster member
  2. Standalone primary
  3. Load-balancer

The FortiAuthenticator can operate in two separate HA modes:

  1. Cluster: Active-passive clustered fail-over mode where all of the configuration is synchronized between the devices.
  2. Load-balancing: Active-active HA method in which one device acts as a standalone primary with up to ten additional, geographically separated load-balancers. The load can be distributed across the devices using round-robin DNS, Auth/NAS client load distribution, or external load balancing devices. Load-balancing mode is intended for two-factor authentication deployments, as only a subset of the configuration is synchronized between the devices.

Both HA modes can be combined with an HA cluster acting as a standalone primary for geographically distributed load-balancing devices.

If an HA cluster is configured on an interface (such as port 2) and then disabled, it will not be possible to re-enable HA.

This is because, when disabled, the interface's IP address is reconfigured to the interface to allow the administrator to access the newly standalone device. To ensure the port is available for use again in a HA cluster, the IP address must be manually removed.

Cluster member role

In the cluster member role, one unit is active and the other is on standby. If the active unit fails, the standby unit becomes active. The cluster is configured as a single authentication server on your FortiGate units.

Authentication requests made during a failover from one unit to another are lost, but subsequent requests complete normally. The failover process takes about 30 seconds.

Cluster mode uses Ethernet broadcasts through UDP/720 as part of its active/standby election mechanism and for ongoing communication. Layer 2 connectivity is required between the devices in an HA cluster, preferably via a crossover cable, as some network devices might block such Ethernet broadcasts.
To configure FortiAuthenticator HA:
  1. On each unit, go to System > Administration > High Availability.
  2. Enter the following information:
    Enable HA Enable HA.
    Role

    Select Cluster member.

    For more information about the other options, see Standalone primary and load-balancers below.

    Maintenance Mode

    Enable to put the FortiAuthenticator unit of an HA cluster into maintenance mode to remove it from the cluster. Upon entering maintenance mode, if the FortiAuthenticator unit is the active member, it relinquishes the active member role and assumes a standby role. While in maintenance mode, the FortiAuthenticator will continue to monitor the status of its HA pair and announce its presence.

    When set to Enabled with synchronization, the FortiAuthenticator continues to keep its configuration synchronized with the active member.

    When set to Enabled without synchronization, the FortiAuthenticator stops synchronizing its configuration with the active member.

    Interface Select a network interface to use for communication between the cluster members. This interface must not already have a IP address assigned and it cannot be used for authentication services. Both units must use the same interface for HA communication.
    Cluster member IP address Enter the IP address this unit uses for HA-related communication with the other FortiAuthenticator unit. The units must have different addresses. Usually, you should assign addresses on the same private subnet.
    Admin access Select the types of administrative access to allow from: Telnet, SSH, HTTPS, Admin access, REST API, HTTP, and SNMP.
    Priority Set to Low on one unit and High on the other. Normally, the unit with High priority is the active member.
    Password Enter a string to use as a shared key for IPsec encryption. This must be the same on both units.
    Load-balancing slaves Add the other load-balancing cluster members by entering their IP addresses.
    Monitored interfaces Enable the interfaces you want to monitor.
    Monitored interfaces stability period Define the stability period for the monitored interfaces in seconds, between 0-3600 (or one hour). The default is set to 30.

    Node-Specific Default Gateway

    Define a default gateway for the FortiAuthenticator device if it differs from the default gateway of the other HA cluster member.

    Note

    The Priority setting is a static value. It allows the administrator to specify which unit to elect as the active member when both units are working equally well (i.e. in a failover situation, the "high priority" setting will not be transferred to the new active member).

    • If both units are healthy, the one with high priority will be elected as the active member.
    • If the high priority active member goes down, the low priority unit becomes the active member.
    • When the low priority is the active member and the high priority comes back online, the high priority assigns the standby member role and syncs from the low priority active member. If the high priority member is synced and remains stable for around five minutes, it takes over and becomes the active member again.
  3. Select OK to apply the settings.
    note icon When one unit has become the active member, reconnect to the GUI and complete your configuration. The configuration will automatically be copied to the standby member.

Standalone primary and load-balancers

The load-balancing HA method enables active-active HA across geographically separated locations and Layer 3 networks. Only the following authentication related features can be synchronized:

  • Token and seeds
  • Local user database
  • Remote user database
  • Group mappings
  • Token and user mappings

Other features, such as FSSO and certificates, cannot be synchronized between devices.

The standalone primary is the primary system where users, groups, and tokens are configured. The load-balancers are synchronized to the standalone primary.

To improve the resilience of the primary system, an active-passive cluster with up to ten load-balancing devices can be configured.

Remote administrator users are not synchronized between the standalone primary and the load-balancers.

As a workaround, you can import remote users to load-balancers, and change their roles to Administrator.

To configure load-balancing HA:
  1. On each unit, go to System > Administration > High Availability.
  2. Enter the following information:
    Enable HA Enable HA.
    Role Select Standalone master on the primary device, and Load-balancing slave on the load-balancing device(s).
    Load Balancing master IP address On the load-balancing device(s), enter IP address of the standalone primary.
    Password Enter a string to use as a shared key for IPsec encryption. This must be the same on both units.
    Load-balancing slaves On the standalone primary, enter IP address or IP addresses of the load-balancing devices. Up to ten can be added.
  3. Select OK to apply the settings.

Administrative access to the HA cluster

Administrative access is available through any of the network interfaces using their assigned IP addresses or through the HA interface using the Cluster member IP address, assigned on the System > Administration > High Availability page. In all cases, administrative access is available only if it is enabled on the interface.

Administrative access through any of the network interface IP addresses connects only to the active member. The only administrative access to the standby member is through the HA interface using the standby member’s Cluster member IP address.

Configuration changes made on the active member are automatically pushed to the standby member. The standby member does not permit configuration changes, but you might want to access the unit to change HA settings, or for firmware upgrades, shutdown, reboot, or troubleshooting.

FortiAuthenticator VMs used in a HA cluster each require a license. Each license is tied to a specific IP address. In an HA cluster, all interface IP addresses are the same on the units, expect for the HA interface.

Request each license backed on either the unique IP address of the unit's HA interface or the IP address of a non-HA interface which is the same on both units.

If you disable and then re-enable HA operation, the interface that was assigned to HA communication will not be available for HA use. You must first go to System > Network > Interfaces and delete the IP address from that interface.

Restoring the configuration

When restoring a configuration to an HA cluster active member, the active member reboots and in the interim the standby member is promoted to the role of active member. When the previous active member returns to service, it becomes a standby member and the existing active member overwrites its configuration, defeating the configuration restore. To avoid this, use the following process when restoring a configuration:

  1. Shutdown the standby member.
  2. Restore the configuration on the active member.
  3. Wait until the active member is back online.
  4. Turn on standby member — it will synchronize to the restored configuration after booting up.

Firmware upgrade

For a stable HA configuration, all units in an HA cluster must be running the same firmware version, and have the same sized license for HA devices.

When upgrading the firmware on FortiAuthenticator devices in an HA cluster, you can perform a coordinated upgrade of both cluster members. During the coordinated upgrade, the cluster upgrades the standby device and then the active device to run the new firmware image. The firmware upgrade takes place without interrupting communication through the cluster. This firmware upgrade method can only be initiated from the active member of the cluster.

The following sequence describes the steps the cluster goes through during a coordinated firmware upgrade.

  1. The administrator initiates the firmware upgrade from the active member.
  2. The firmware image transfers to the standby member.
  3. The firmware upgrades on the standby member.
  4. The standby member reboots and synchronizes with the active member.
  5. The firmware upgrade begins on the active member. The standby member becomes the new active device.
  6. The former active member reboots and synchronizes with the new active member.
  7. The former active member becomes the active device, and the former standby member becomes the standby device.

If you want to perform the firmware upgrade on each FortiAuthenticator cluster member individually, specific steps must be taken to ensure that the upgrade is successful:

  1. Start the firmware upgrade on the member. See Upgrading the firmware.
  2. The device reboots. While the active member is rebooting, the standby member becomes the active member.

  3. Start the firmware upgrade on the new active member.
  4. The device reboots. After both devices have rebooted, the original active member becomes the active device, while the original standby member returns to being the standby device.

If a situation arises where both devices are claiming to be the active member due to a firmware mismatch, and the HA port of the device that is intended to be the standby member cannot be accessed (such as when a crossover cable is used), use the following steps:

  1. Shutdown the active member to which you have access, or, if physical access to the unit is not available to turn it back on, reboot the device. See System information widget.
  2. Note that, if rebooting the device, Step 2 below must be completed before the device finishes rebooting, which can be as short as 30 seconds.

  3. With the previously inaccessible device now accessible, upgrade its firmware to the required version so that both devices have the same version.
  4. The device reboots.

  5. If you shutdown the device in Step 1, power it back on.
  6. After both devices are back online, they assume the HA roles dictated by their respective HA priorities.

Firmware upgrade

The FortiAuthenticator firmware can be upgraded from System > Administration > Firmware, the CLI via FTP/TFTP, or through the System Information widget on the dashboard (see System information widget).

For instructions on upgrading the device’s firmware, see Upgrading the firmware.

Upgrade history

The upgrade history of the device is shown under the Upgrade History heading in the Firmware Upgrade or Downgrade pane. It displays the version that was upgraded to, the time and date that the upgrade took place, and the user that performed the upgrade. This information can be useful when receiving support to identify incorrect upgrade paths that can cause stability issues.

Always review all sections in the FortiAuthenticator Release Notes prior to upgrading your device.

Configuring auto-backup

You can configure the FortiAuthenticator to automatically perform configuration back ups to an FTP or SFTP server.

Even though the backup file is encrypted to prevent tampering, access to the FTP server should be restricted. This configuration file backup includes both the CLI and GUI configurations of FortiAuthenticator. The backed-up information includes users, user groups, FortiToken device list, authentication client list, LDAP directory tree, FSSO settings, remote LDAP and RADIUS, and certificates.

To configure automatic backups, go to System > Administration > Config Auto-backup.

Enter the following information, and then select OK to apply the settings:

Enable configuration auto-backup Enable the configuration of automatic configuration backups.
Frequency Select the automatic backup frequency: Hourly, Daily, Weekly, or Monthly.
Backup time

Entire a time, select Now, or select the clock icon to set the scheduled time for backups to occur.

Note that this options is not available when the frequency is set to hourly.

FTP directory Enter the FTP directory where the backup configuration files are saved to.
FTP server Select the FTP server to which the backup configuration files are saved to. See FTP servers for information on adding FTP servers.
Secondary FTP server Select a secondary FTP server.

SNMP

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You can configure the hardware, such as the FortiAuthenticator SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager, or host, is typically a computer running an application that can read the incoming trap and event messages from the agent, and send out SNMP queries to the SNMP agents.

By using an SNMP manager, you can access SNMP traps and data from any FortiAuthenticator interface configured for SNMP management access. Part of configuring an SNMP manager is listing it as a host in a community on the FortiAuthenticator device it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from that device, or be able to query that device.

The FortiAuthenticator SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to system information through queries and can receive trap messages from FortiAuthenticator.

To monitor FortiAuthenticator system information and receive FortiAuthenticator traps, your SNMP manager needs the Fortinet and FortiAuthenticator Management Information Base (MIB) files. A MIB is a text file that lists the SNMP data objects that apply to the monitored device. These MIBs provide information that the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by FortiAuthenticator SNMP agent.

The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernet‑like MIB) and most of RFC 1213 (MIB II). RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).

SNMP traps alert you to important events that occur, such as overuse of memory or a high rate of authentication failures.

SNMP fields contain information about FortiAuthenticator, such as CPU usage percentage or the number of sessions. This information is useful for monitoring the condition of the unit on an ongoing basis and to provide more information when a trap occurs.

Configuring SNMP

Before a remote SNMP manager can connect to the Fortinet agent, you must configure one or more interfaces to accept SNMP connections by going to System > Network > Interfaces. Edit the interface, and under Admin access, enable SNMP. See Interfaces.

You can also set the thresholds that trigger various SNMP traps. Note that a setting of zero disables the trap.

To configure SNMP settings:
  1. Go to System > Administration > SNMP.
  2. Enter the following information:
    SNMP Contact Enter the contact information for the person responsible for this FortiAuthenticator unit.
    SNMP Description Enter descriptive information about FortiAuthenticator.
    SNMP Location Enter the physical location of FortiAuthenticator.
    User Table Nearly Full Trap Threshold The user table is nearly full. The threshold is a percentage of the maximum permitted number of users.
    User Group Table Nearly Full Trap Threshold The user group table is nearly full. The threshold is a percentage of the maximum permitted number of user groups.
    RADIUS Authentication Client Table Nearly Full Trap Threshold The RADIUS authenticated client table is nearly full. The threshold is a percentage of the maximum permitted number of RADIUS clients.
    Authentication Event Rate Over Limit Trap Threshold High authentication load. The threshold is the number of authentication events over a five minute period.
    Authentication Failure Rate Over Limit Trap Threshold High rate of authentication failure. The threshold is the number of authentication failures over a five minute period.
    CPU Utilization Trap Threshold (%) High load on CPU. The default is set to 90%.
    Disk Utilization Trap Threshold (%) Disk usage is high. The default is set to 80%.
    Memory Utilization Trap Threshold (%) Too much memory used. The default is set to 90%.
  3. Select OK to apply the changes.
To create a new SNMP community:
  1. Go to System > Administration > SNMP.
  2. Select Create New under SNMP v1/v2c. The Create New SNMP V1/v2c window opens.
  3. Enter the following information in the SNMPv1/v2c section:
    Community name The name of the SNMP community.
    Events

    Select the events for which traps are enabled. Options include:

    • CPU usage is high
    • Memory is low
    • Interface IP is changed
    • Auth users threshold exceeded
    • Auth group threshold exceeded
    • Radius NAS threshold exceeded
    • Auth event rate threshold exceeded
    • Auth failure rate threshold exceeded
    • User lockout detected
    • HA status is changed
    • Power Supply Unit failure
    • Disk usage is high
    • HA sync activity is low
  4. In SNMP Hosts, select Add another SNMP Host and enter the following information:
    IP/Netmask Enter the IP address and netmask of the host.
    Queries Select if this host uses queries.
    Traps Select if this host uses traps.
    Delete Select to delete the host.
  5. Select OK to create the new SNMP community.
To create a new SNMP user:
  1. Go to System > Administration > SNMP.
  2. Select Create New under SNMP v3. The Create New SNMP V3 window opens.
  3. Enter the following information in the General section:
    Username The name of the SNMP user.
    Security level

    Select the security level from the dropdown menu:

    • None: No authentication or encryption.
    • Authentication only: Select the Authentication method then enter the authentication key in the Authentication key field.
    • Encryption and authentication: Select the Authentication method, enter the authentication key in the Authentication key field, then select the Encryption method and enter the encryption key in the Encryption key field. This option is set by default.
    Events Select the events for which traps are enabled. See Events.
  4. In SNMP Notification Hosts, select Add another SNMP Notification Host and enter the following information:
    IP/Netmask Enter the IP address and netmask of the notification host.
    Delete Select to delete the notification host.
  5. Select OK to create the new SNMP V3 user.
To download MIB files:
  1. Go to System > Administration > SNMP.
  2. Under FortiAuthenticator SNMP MIB, select the MIB file you need to download, options include the FortiAuthenticator MIB and Fortinet Core MIB files.

Licensing

FortiAuthenticator-VM works in evaluation mode until it is licensed. In evaluation mode, only a limited number of users can be configured on the system. To expand this capability, a stackable license can be applied to the system to increase both the user count, and all other metrics associated with the user count.

When a license is purchased, a registration code is provided. Go to support.fortinet.com and register your device by entering the registration code. You are asked for the IP address of your FortiAuthenticator device, and are then provided with a license key.

Ensure that the IP address specified while registering your unit is configured on one of the device’s network interfaces, then upload the license key to your FortiAuthenticator-VM.

The License Information widget shows the current state of the device license. See License information widget.

To license FortiAuthenticator:
  1. Register your device at the Fortinet Support website.
  2. Ensure that one of your device’s network interfaces is configured to the IP address specified during registration.
  3. Go to System > Administration > Licensing.
  4. Select Choose File and locate the license file you received from Fortinet.
  5. Select OK.

FortiGuard

To view and configure FortiGuard connections, go to System > Administration > FortiGuard. The FortiGuard Distribution Network (FDN) page provides information and configuration settings for FortiGuard subscription services. For more information about FortiGuard services, see the FortiGuard web page.

Configure the following settings, then select OK to apply them:

FortiGuard Subscription Services
Messaging Service The data to which the messaging service license is valid.
SMS messages The total number of allowed SMS messages, and the number of messages that have been used.
FortiGuard Proxy Server
Enable FortiGuard proxy server

If enabled, communication with FortiGuard servers will go through this proxy server.

Enter the proxy server's address, port, and optionally specify a Username and Password for user authentication.

FortiToken Hardware Provisioning

Server address

Server port

The server address (set to update.fortiguard.net by default) and server port (set to 443 by default).
FortiToken Mobile Provisioning

Server address

Server port

The server address (set to fortitokenmobile.fortinet.com by default) and server port (set to 443 by default).
Activation timeout The activation timeout in hours, from 1 - 168 hours (or seven days).
Token size The token size, either 6 (set by default) or 8.
Token algorithm Time-based One-time Password (TOTP, set by default) or Hash-based One-time Password (HOTP) algorithm.
Time step The time step, either 60 (set by default) or 30.
Require PIN

Select whether or not to require a PIN, or to enforce a mandatory PIN.

When set to Required (set by default), the user has the option to set a PIN, but doesn't have to set one. However, a user must set a PIN when set to Enforced, which cannot be deleted.

PIN Length The PIN length, either 8, 6, or 4 (set by default).
FTM trial license activation Option to disable the FortiAuthenticator device's free trial FortiToken Mobile licenses.
FortiGuard Messaging Service

Server address

Server port

The server address (set to msgctrl1.fortinet.com by default) and server port (set to 443 by default).
note icon FTM Push credentials for Apple and Google can be updated via FortiGuard without admin user intervention.

FortiNACs

To view a list of the configured FortiNAC servers, go to System > Administration > FortiNACs.

The following information is shown:

Create New Select to configure a new FortiNAC server (this is the only option available if no FortiNAC servers are configured).
Delete Select to delete the selected FortiNAC server(s).
Edit Select to edit the selected FortiNAC server.
Name The name of the FortiNAC server.
To create a new FortiNAC server:
  1. Select Create New.
  2. The Create New FortiNAC window opens.

  3. Enter the following information:
    Name Enter a name for the FortiNAC server.
    IP/FQDN Enter the IP address or Fully Qualified Domain Name (FQDN) of the FortiNAC server.
    Port Enter the port number.
    Password Enter the FortiNAC server password.
  4. Select OK to create the new FortiNAC server.

FTP servers

To view a list of the configured FTP servers, go to System > Administration > FTP Servers.

The following information is shown:

Create New Select to create a new FTP server (this is the only option available if no FTP servers are configured).
Delete Select to delete the selected FTP server(s).
Edit Select to edit the selected FTP server.
Name The name of the FTP server.
Server name/IP The server name or IP address, and port number.
To create a new FTP server:
  1. Select Create New. The Create New FTP Server window will open.
  2. Enter the following information:
    Name Enter a name for the FTP server.
    Connection type Select the connection type, either FTP or SFTP.
    Server name/IP Enter the server name or IP address.
    Port Enter the port number.
    Anonymous Select to make the server anonymous.
    Username Enter the server username (if Anonymous is not selected).
    Password Enter the server password (if Anonymous is not selected).
  3. Select OK to create the new FTP server.

Admin profiles

Similar to FortiOS, FortiAuthenticator can incorporate the use of admin profiles. Each administrator can be granted either full permissions or a customized admin profile. Profiles are defined as aggregates of read-only or read/write permission sets. The most commonly used permission sets are pre-defined, but custom permission sets can also be created.

To create a new admin profile, go to System > Administration > Admin Profiles > Create New. You can give the admin profile a Name, a Description, and configure the Permission sets you want for that particular admin profile.

Go to Authentication > User Management > Local Users, and select the admin profile to an administrator. You can assign more than one admin profile to each administrator.

Administration

Administration

Configure administrative settings for the FortiAuthenticator device.

System access

To adjust system access settings, go to System > Administration > System Access. The Edit System Access Settings page will open.

The following settings are available:

Administrative Access
Require strong cryptography Enable this option to restrict administrative access using stronger cryptographic algorithms, such as TLS 1.2, DHE, AES, and SHA256.
Enable pre-authentication warning message Pre-authentication warning messages can be found under Authentication > Self-service Portal > Replacement Messages.
CLI Access
CLI idle timeout Enter the amount of time before the CLI times out due to inactivity, from 0 to 480 minutes (maximum of eight hours).
GUI Access
GUI idle timeout Enter the amount of time before the GUI times out due to inactivity, from 1 to 480 minutes (maximum of eight hours).
Maximum HTTP header length Enter the maximum HTTP header length, from 4 to 16 KB.
HTTPS Certificate Select an HTTPS certificate from the dropdown menu.
HTTP Strict Transport Security (HSTS) Expiry Enable or disable HSTS enforcement, to avoid SSL sniffing attacks, and set an expiry from 0 to 730 days (where 0 means no expiry, maximum of two years). The default is set to 180.
Certificate authority type Select the selected certificate’s authority type, either Local CA or Trusted CA.
CA certificate that issued the server certificate Select the issuing server certificate from the dropdown menu.
Additional allowed hosts/domain names Specify any additional hosts that this site can serve, separated by commas or line breaks.
Public IP/FQDN for FortiToken Mobile

Enter the IP, or FQDN, of the FortiAuthenticator for external access.

The mobile device running the FortiToken Mobile app requires access to the FortiAuthenticator interface for push to operate.

Enter the IPs/FQDNs in the following format:
ip_addr[:port] or FQDN[:port]

Select OK to apply any changes. See Certificate management for more information about certificates.

High availability

Multiple FortiAuthenticator units can operate as an high availability (HA) cluster to provide even higher reliability.

There are three HA roles:

  1. Cluster member
  2. Standalone primary
  3. Load-balancer

The FortiAuthenticator can operate in two separate HA modes:

  1. Cluster: Active-passive clustered fail-over mode where all of the configuration is synchronized between the devices.
  2. Load-balancing: Active-active HA method in which one device acts as a standalone primary with up to ten additional, geographically separated load-balancers. The load can be distributed across the devices using round-robin DNS, Auth/NAS client load distribution, or external load balancing devices. Load-balancing mode is intended for two-factor authentication deployments, as only a subset of the configuration is synchronized between the devices.

Both HA modes can be combined with an HA cluster acting as a standalone primary for geographically distributed load-balancing devices.

If an HA cluster is configured on an interface (such as port 2) and then disabled, it will not be possible to re-enable HA.

This is because, when disabled, the interface's IP address is reconfigured to the interface to allow the administrator to access the newly standalone device. To ensure the port is available for use again in a HA cluster, the IP address must be manually removed.

Cluster member role

In the cluster member role, one unit is active and the other is on standby. If the active unit fails, the standby unit becomes active. The cluster is configured as a single authentication server on your FortiGate units.

Authentication requests made during a failover from one unit to another are lost, but subsequent requests complete normally. The failover process takes about 30 seconds.

Cluster mode uses Ethernet broadcasts through UDP/720 as part of its active/standby election mechanism and for ongoing communication. Layer 2 connectivity is required between the devices in an HA cluster, preferably via a crossover cable, as some network devices might block such Ethernet broadcasts.
To configure FortiAuthenticator HA:
  1. On each unit, go to System > Administration > High Availability.
  2. Enter the following information:
    Enable HA Enable HA.
    Role

    Select Cluster member.

    For more information about the other options, see Standalone primary and load-balancers below.

    Maintenance Mode

    Enable to put the FortiAuthenticator unit of an HA cluster into maintenance mode to remove it from the cluster. Upon entering maintenance mode, if the FortiAuthenticator unit is the active member, it relinquishes the active member role and assumes a standby role. While in maintenance mode, the FortiAuthenticator will continue to monitor the status of its HA pair and announce its presence.

    When set to Enabled with synchronization, the FortiAuthenticator continues to keep its configuration synchronized with the active member.

    When set to Enabled without synchronization, the FortiAuthenticator stops synchronizing its configuration with the active member.

    Interface Select a network interface to use for communication between the cluster members. This interface must not already have a IP address assigned and it cannot be used for authentication services. Both units must use the same interface for HA communication.
    Cluster member IP address Enter the IP address this unit uses for HA-related communication with the other FortiAuthenticator unit. The units must have different addresses. Usually, you should assign addresses on the same private subnet.
    Admin access Select the types of administrative access to allow from: Telnet, SSH, HTTPS, Admin access, REST API, HTTP, and SNMP.
    Priority Set to Low on one unit and High on the other. Normally, the unit with High priority is the active member.
    Password Enter a string to use as a shared key for IPsec encryption. This must be the same on both units.
    Load-balancing slaves Add the other load-balancing cluster members by entering their IP addresses.
    Monitored interfaces Enable the interfaces you want to monitor.
    Monitored interfaces stability period Define the stability period for the monitored interfaces in seconds, between 0-3600 (or one hour). The default is set to 30.

    Node-Specific Default Gateway

    Define a default gateway for the FortiAuthenticator device if it differs from the default gateway of the other HA cluster member.

    Note

    The Priority setting is a static value. It allows the administrator to specify which unit to elect as the active member when both units are working equally well (i.e. in a failover situation, the "high priority" setting will not be transferred to the new active member).

    • If both units are healthy, the one with high priority will be elected as the active member.
    • If the high priority active member goes down, the low priority unit becomes the active member.
    • When the low priority is the active member and the high priority comes back online, the high priority assigns the standby member role and syncs from the low priority active member. If the high priority member is synced and remains stable for around five minutes, it takes over and becomes the active member again.
  3. Select OK to apply the settings.
    note icon When one unit has become the active member, reconnect to the GUI and complete your configuration. The configuration will automatically be copied to the standby member.

Standalone primary and load-balancers

The load-balancing HA method enables active-active HA across geographically separated locations and Layer 3 networks. Only the following authentication related features can be synchronized:

  • Token and seeds
  • Local user database
  • Remote user database
  • Group mappings
  • Token and user mappings

Other features, such as FSSO and certificates, cannot be synchronized between devices.

The standalone primary is the primary system where users, groups, and tokens are configured. The load-balancers are synchronized to the standalone primary.

To improve the resilience of the primary system, an active-passive cluster with up to ten load-balancing devices can be configured.

Remote administrator users are not synchronized between the standalone primary and the load-balancers.

As a workaround, you can import remote users to load-balancers, and change their roles to Administrator.

To configure load-balancing HA:
  1. On each unit, go to System > Administration > High Availability.
  2. Enter the following information:
    Enable HA Enable HA.
    Role Select Standalone master on the primary device, and Load-balancing slave on the load-balancing device(s).
    Load Balancing master IP address On the load-balancing device(s), enter IP address of the standalone primary.
    Password Enter a string to use as a shared key for IPsec encryption. This must be the same on both units.
    Load-balancing slaves On the standalone primary, enter IP address or IP addresses of the load-balancing devices. Up to ten can be added.
  3. Select OK to apply the settings.

Administrative access to the HA cluster

Administrative access is available through any of the network interfaces using their assigned IP addresses or through the HA interface using the Cluster member IP address, assigned on the System > Administration > High Availability page. In all cases, administrative access is available only if it is enabled on the interface.

Administrative access through any of the network interface IP addresses connects only to the active member. The only administrative access to the standby member is through the HA interface using the standby member’s Cluster member IP address.

Configuration changes made on the active member are automatically pushed to the standby member. The standby member does not permit configuration changes, but you might want to access the unit to change HA settings, or for firmware upgrades, shutdown, reboot, or troubleshooting.

FortiAuthenticator VMs used in a HA cluster each require a license. Each license is tied to a specific IP address. In an HA cluster, all interface IP addresses are the same on the units, expect for the HA interface.

Request each license backed on either the unique IP address of the unit's HA interface or the IP address of a non-HA interface which is the same on both units.

If you disable and then re-enable HA operation, the interface that was assigned to HA communication will not be available for HA use. You must first go to System > Network > Interfaces and delete the IP address from that interface.

Restoring the configuration

When restoring a configuration to an HA cluster active member, the active member reboots and in the interim the standby member is promoted to the role of active member. When the previous active member returns to service, it becomes a standby member and the existing active member overwrites its configuration, defeating the configuration restore. To avoid this, use the following process when restoring a configuration:

  1. Shutdown the standby member.
  2. Restore the configuration on the active member.
  3. Wait until the active member is back online.
  4. Turn on standby member — it will synchronize to the restored configuration after booting up.

Firmware upgrade

For a stable HA configuration, all units in an HA cluster must be running the same firmware version, and have the same sized license for HA devices.

When upgrading the firmware on FortiAuthenticator devices in an HA cluster, you can perform a coordinated upgrade of both cluster members. During the coordinated upgrade, the cluster upgrades the standby device and then the active device to run the new firmware image. The firmware upgrade takes place without interrupting communication through the cluster. This firmware upgrade method can only be initiated from the active member of the cluster.

The following sequence describes the steps the cluster goes through during a coordinated firmware upgrade.

  1. The administrator initiates the firmware upgrade from the active member.
  2. The firmware image transfers to the standby member.
  3. The firmware upgrades on the standby member.
  4. The standby member reboots and synchronizes with the active member.
  5. The firmware upgrade begins on the active member. The standby member becomes the new active device.
  6. The former active member reboots and synchronizes with the new active member.
  7. The former active member becomes the active device, and the former standby member becomes the standby device.

If you want to perform the firmware upgrade on each FortiAuthenticator cluster member individually, specific steps must be taken to ensure that the upgrade is successful:

  1. Start the firmware upgrade on the member. See Upgrading the firmware.
  2. The device reboots. While the active member is rebooting, the standby member becomes the active member.

  3. Start the firmware upgrade on the new active member.
  4. The device reboots. After both devices have rebooted, the original active member becomes the active device, while the original standby member returns to being the standby device.

If a situation arises where both devices are claiming to be the active member due to a firmware mismatch, and the HA port of the device that is intended to be the standby member cannot be accessed (such as when a crossover cable is used), use the following steps:

  1. Shutdown the active member to which you have access, or, if physical access to the unit is not available to turn it back on, reboot the device. See System information widget.
  2. Note that, if rebooting the device, Step 2 below must be completed before the device finishes rebooting, which can be as short as 30 seconds.

  3. With the previously inaccessible device now accessible, upgrade its firmware to the required version so that both devices have the same version.
  4. The device reboots.

  5. If you shutdown the device in Step 1, power it back on.
  6. After both devices are back online, they assume the HA roles dictated by their respective HA priorities.

Firmware upgrade

The FortiAuthenticator firmware can be upgraded from System > Administration > Firmware, the CLI via FTP/TFTP, or through the System Information widget on the dashboard (see System information widget).

For instructions on upgrading the device’s firmware, see Upgrading the firmware.

Upgrade history

The upgrade history of the device is shown under the Upgrade History heading in the Firmware Upgrade or Downgrade pane. It displays the version that was upgraded to, the time and date that the upgrade took place, and the user that performed the upgrade. This information can be useful when receiving support to identify incorrect upgrade paths that can cause stability issues.

Always review all sections in the FortiAuthenticator Release Notes prior to upgrading your device.

Configuring auto-backup

You can configure the FortiAuthenticator to automatically perform configuration back ups to an FTP or SFTP server.

Even though the backup file is encrypted to prevent tampering, access to the FTP server should be restricted. This configuration file backup includes both the CLI and GUI configurations of FortiAuthenticator. The backed-up information includes users, user groups, FortiToken device list, authentication client list, LDAP directory tree, FSSO settings, remote LDAP and RADIUS, and certificates.

To configure automatic backups, go to System > Administration > Config Auto-backup.

Enter the following information, and then select OK to apply the settings:

Enable configuration auto-backup Enable the configuration of automatic configuration backups.
Frequency Select the automatic backup frequency: Hourly, Daily, Weekly, or Monthly.
Backup time

Entire a time, select Now, or select the clock icon to set the scheduled time for backups to occur.

Note that this options is not available when the frequency is set to hourly.

FTP directory Enter the FTP directory where the backup configuration files are saved to.
FTP server Select the FTP server to which the backup configuration files are saved to. See FTP servers for information on adding FTP servers.
Secondary FTP server Select a secondary FTP server.

SNMP

Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You can configure the hardware, such as the FortiAuthenticator SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager, or host, is typically a computer running an application that can read the incoming trap and event messages from the agent, and send out SNMP queries to the SNMP agents.

By using an SNMP manager, you can access SNMP traps and data from any FortiAuthenticator interface configured for SNMP management access. Part of configuring an SNMP manager is listing it as a host in a community on the FortiAuthenticator device it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from that device, or be able to query that device.

The FortiAuthenticator SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to system information through queries and can receive trap messages from FortiAuthenticator.

To monitor FortiAuthenticator system information and receive FortiAuthenticator traps, your SNMP manager needs the Fortinet and FortiAuthenticator Management Information Base (MIB) files. A MIB is a text file that lists the SNMP data objects that apply to the monitored device. These MIBs provide information that the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by FortiAuthenticator SNMP agent.

The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernet‑like MIB) and most of RFC 1213 (MIB II). RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).

SNMP traps alert you to important events that occur, such as overuse of memory or a high rate of authentication failures.

SNMP fields contain information about FortiAuthenticator, such as CPU usage percentage or the number of sessions. This information is useful for monitoring the condition of the unit on an ongoing basis and to provide more information when a trap occurs.

Configuring SNMP

Before a remote SNMP manager can connect to the Fortinet agent, you must configure one or more interfaces to accept SNMP connections by going to System > Network > Interfaces. Edit the interface, and under Admin access, enable SNMP. See Interfaces.

You can also set the thresholds that trigger various SNMP traps. Note that a setting of zero disables the trap.

To configure SNMP settings:
  1. Go to System > Administration > SNMP.
  2. Enter the following information:
    SNMP Contact Enter the contact information for the person responsible for this FortiAuthenticator unit.
    SNMP Description Enter descriptive information about FortiAuthenticator.
    SNMP Location Enter the physical location of FortiAuthenticator.
    User Table Nearly Full Trap Threshold The user table is nearly full. The threshold is a percentage of the maximum permitted number of users.
    User Group Table Nearly Full Trap Threshold The user group table is nearly full. The threshold is a percentage of the maximum permitted number of user groups.
    RADIUS Authentication Client Table Nearly Full Trap Threshold The RADIUS authenticated client table is nearly full. The threshold is a percentage of the maximum permitted number of RADIUS clients.
    Authentication Event Rate Over Limit Trap Threshold High authentication load. The threshold is the number of authentication events over a five minute period.
    Authentication Failure Rate Over Limit Trap Threshold High rate of authentication failure. The threshold is the number of authentication failures over a five minute period.
    CPU Utilization Trap Threshold (%) High load on CPU. The default is set to 90%.
    Disk Utilization Trap Threshold (%) Disk usage is high. The default is set to 80%.
    Memory Utilization Trap Threshold (%) Too much memory used. The default is set to 90%.
  3. Select OK to apply the changes.
To create a new SNMP community:
  1. Go to System > Administration > SNMP.
  2. Select Create New under SNMP v1/v2c. The Create New SNMP V1/v2c window opens.
  3. Enter the following information in the SNMPv1/v2c section:
    Community name The name of the SNMP community.
    Events

    Select the events for which traps are enabled. Options include:

    • CPU usage is high
    • Memory is low
    • Interface IP is changed
    • Auth users threshold exceeded
    • Auth group threshold exceeded
    • Radius NAS threshold exceeded
    • Auth event rate threshold exceeded
    • Auth failure rate threshold exceeded
    • User lockout detected
    • HA status is changed
    • Power Supply Unit failure
    • Disk usage is high
    • HA sync activity is low
  4. In SNMP Hosts, select Add another SNMP Host and enter the following information:
    IP/Netmask Enter the IP address and netmask of the host.
    Queries Select if this host uses queries.
    Traps Select if this host uses traps.
    Delete Select to delete the host.
  5. Select OK to create the new SNMP community.
To create a new SNMP user:
  1. Go to System > Administration > SNMP.
  2. Select Create New under SNMP v3. The Create New SNMP V3 window opens.
  3. Enter the following information in the General section:
    Username The name of the SNMP user.
    Security level

    Select the security level from the dropdown menu:

    • None: No authentication or encryption.
    • Authentication only: Select the Authentication method then enter the authentication key in the Authentication key field.
    • Encryption and authentication: Select the Authentication method, enter the authentication key in the Authentication key field, then select the Encryption method and enter the encryption key in the Encryption key field. This option is set by default.
    Events Select the events for which traps are enabled. See Events.
  4. In SNMP Notification Hosts, select Add another SNMP Notification Host and enter the following information:
    IP/Netmask Enter the IP address and netmask of the notification host.
    Delete Select to delete the notification host.
  5. Select OK to create the new SNMP V3 user.
To download MIB files:
  1. Go to System > Administration > SNMP.
  2. Under FortiAuthenticator SNMP MIB, select the MIB file you need to download, options include the FortiAuthenticator MIB and Fortinet Core MIB files.

Licensing

FortiAuthenticator-VM works in evaluation mode until it is licensed. In evaluation mode, only a limited number of users can be configured on the system. To expand this capability, a stackable license can be applied to the system to increase both the user count, and all other metrics associated with the user count.

When a license is purchased, a registration code is provided. Go to support.fortinet.com and register your device by entering the registration code. You are asked for the IP address of your FortiAuthenticator device, and are then provided with a license key.

Ensure that the IP address specified while registering your unit is configured on one of the device’s network interfaces, then upload the license key to your FortiAuthenticator-VM.

The License Information widget shows the current state of the device license. See License information widget.

To license FortiAuthenticator:
  1. Register your device at the Fortinet Support website.
  2. Ensure that one of your device’s network interfaces is configured to the IP address specified during registration.
  3. Go to System > Administration > Licensing.
  4. Select Choose File and locate the license file you received from Fortinet.
  5. Select OK.

FortiGuard

To view and configure FortiGuard connections, go to System > Administration > FortiGuard. The FortiGuard Distribution Network (FDN) page provides information and configuration settings for FortiGuard subscription services. For more information about FortiGuard services, see the FortiGuard web page.

Configure the following settings, then select OK to apply them:

FortiGuard Subscription Services
Messaging Service The data to which the messaging service license is valid.
SMS messages The total number of allowed SMS messages, and the number of messages that have been used.
FortiGuard Proxy Server
Enable FortiGuard proxy server

If enabled, communication with FortiGuard servers will go through this proxy server.

Enter the proxy server's address, port, and optionally specify a Username and Password for user authentication.

FortiToken Hardware Provisioning

Server address

Server port

The server address (set to update.fortiguard.net by default) and server port (set to 443 by default).
FortiToken Mobile Provisioning

Server address

Server port

The server address (set to fortitokenmobile.fortinet.com by default) and server port (set to 443 by default).
Activation timeout The activation timeout in hours, from 1 - 168 hours (or seven days).
Token size The token size, either 6 (set by default) or 8.
Token algorithm Time-based One-time Password (TOTP, set by default) or Hash-based One-time Password (HOTP) algorithm.
Time step The time step, either 60 (set by default) or 30.
Require PIN

Select whether or not to require a PIN, or to enforce a mandatory PIN.

When set to Required (set by default), the user has the option to set a PIN, but doesn't have to set one. However, a user must set a PIN when set to Enforced, which cannot be deleted.

PIN Length The PIN length, either 8, 6, or 4 (set by default).
FTM trial license activation Option to disable the FortiAuthenticator device's free trial FortiToken Mobile licenses.
FortiGuard Messaging Service

Server address

Server port

The server address (set to msgctrl1.fortinet.com by default) and server port (set to 443 by default).
note icon FTM Push credentials for Apple and Google can be updated via FortiGuard without admin user intervention.

FortiNACs

To view a list of the configured FortiNAC servers, go to System > Administration > FortiNACs.

The following information is shown:

Create New Select to configure a new FortiNAC server (this is the only option available if no FortiNAC servers are configured).
Delete Select to delete the selected FortiNAC server(s).
Edit Select to edit the selected FortiNAC server.
Name The name of the FortiNAC server.
To create a new FortiNAC server:
  1. Select Create New.
  2. The Create New FortiNAC window opens.

  3. Enter the following information:
    Name Enter a name for the FortiNAC server.
    IP/FQDN Enter the IP address or Fully Qualified Domain Name (FQDN) of the FortiNAC server.
    Port Enter the port number.
    Password Enter the FortiNAC server password.
  4. Select OK to create the new FortiNAC server.

FTP servers

To view a list of the configured FTP servers, go to System > Administration > FTP Servers.

The following information is shown:

Create New Select to create a new FTP server (this is the only option available if no FTP servers are configured).
Delete Select to delete the selected FTP server(s).
Edit Select to edit the selected FTP server.
Name The name of the FTP server.
Server name/IP The server name or IP address, and port number.
To create a new FTP server:
  1. Select Create New. The Create New FTP Server window will open.
  2. Enter the following information:
    Name Enter a name for the FTP server.
    Connection type Select the connection type, either FTP or SFTP.
    Server name/IP Enter the server name or IP address.
    Port Enter the port number.
    Anonymous Select to make the server anonymous.
    Username Enter the server username (if Anonymous is not selected).
    Password Enter the server password (if Anonymous is not selected).
  3. Select OK to create the new FTP server.

Admin profiles

Similar to FortiOS, FortiAuthenticator can incorporate the use of admin profiles. Each administrator can be granted either full permissions or a customized admin profile. Profiles are defined as aggregates of read-only or read/write permission sets. The most commonly used permission sets are pre-defined, but custom permission sets can also be created.

To create a new admin profile, go to System > Administration > Admin Profiles > Create New. You can give the admin profile a Name, a Description, and configure the Permission sets you want for that particular admin profile.

Go to Authentication > User Management > Local Users, and select the admin profile to an administrator. You can assign more than one admin profile to each administrator.