The current FortiGate to EMS Fortinet Security Fabric connection in a high availability (HA) environment has the following limitations:
- If round robin is enabled on the DNS server, FortiOS may reach a secondary EMS node during Fabric connection, resulting in Fabric connection failing.
- If there is a Fabric connection that is already configured, after EMS failover, the connector disconnects, since DNS still resolves to the primary EMS node.
For EMS HA failover to function correctly with FortiOS Fabric connectors, you can use traffic manager in your topology. This effectively brokers the data routing to the correct EMS based on availability.
To demonstrate this configuration, the example EMS HA environment is configured in Azure Cloud. This deployment uses the following components in Azure:
- Two EMS nodes
- SQL Server
- Traffic manager
You should use FortiOS 7.2.1 or 7.0.7 and later versions for this setup.
To configure traffic manager:
- Log in to the Azure portal.
- Select the desired resource group.
- Search for traffic manager, and create the profile. The traffic manager profile overview displays the DNS name, which you use to set up the Fabric connection and register FortiClient endpoints.
- You must add traffic manager profile endpoints. In this example, the endpoints are EMS nodes. On the Endpoints tab, select Add.
- For Target Resource type, select Public IP Address. emsnode1 and emsnode2 are added as endpoints in traffic manager. Due to the configuration, the nodes are monitored. emsnode1 is the primary node and emsnode2 is the secondary.
- Go to Settings > Configuration. Confirm that traffic manager is set to monitor TCP port 8013.
After failover when the EMS secondary node becomes responsive, meaning that all FCEMS services are on, the traffic manger status changes from degraded to online.
To configure the Fabric connection between FortiOS and EMS:
- In FortiOS, go to Security Fabric > Fabric Connectors.
- Under FortiClient EMS Settings, in the IP/Domain name field, enter the traffic manager FQDN. The FQDN resolves to the active EMS node's IP address. After EMS failover, the secondary EMS node status in traffic manager changes from degraded to online. The new EMS active node IP address is returned, and FortiOS continues to be connected and authorized. For earlier FortiOS versions, the fully qualified domain name (FQDN) is resolved only once, and the Fabric connector uses the same IP address failover, causing the WebSocket connection to disconnect. FortiOS 7.2.1 or 7.0.7 and later versions periodically checks if FQDN has a new IP address and switch to it after EMS failover.