Fortinet black logo

Admin Guide

Home FortiToken Cloud Admin Guide

Auth clients in HA mode

Auth clients in HA mode

Auth clients in an HA cluster are shared by all members of the cluster. This is to ensure that the cluster members are using the same auth clients to preserve HA functionality. For more information about how to configure HA clusters in the GUI, see the FortiProducts section.

Before creating an HA cluster, make sure that the FortiGates are running the same version of the FortiOS and that the interfaces are not configured to get their addresses from DHCP or PPPoE. Also, switch ports are not allowed to be used as HA heartbeat interfaces. If necessary, convert switch ports to individual interfaces.

Configuring the primary FortiGate

  1. On the primary FortiGate, go to System > Settings and change the Host name to identify it as the primary FortiGate in the HA cluster.

  2. Go to System > HA and set the Mode to Active-Passive. Set the Device priority to a higher value than the default (in the example, 250) to ensure that this FortiGate will always be the primary FortiGate. Also, set the group name and password.

  3. Make sure you select the Heartbeat interfaces (in the example, the HA port if it exists; it does not have to use port3 or port4).

Single heartbeat interface:

Multiple heartbeat interfaces:

Configuring a backup FortiGate

  1. On the backup FortiGate, go to System > Settings and change the Host name to identify it as the backup FortiGate in the HA cluster.

  2. Go to System > HA and set the Mode to Active-Passive. Set the Device priority to a lower value than the primary (for example, 200) to ensure that this FortiGate will always be the backup FortiGate, only to be activated when the primary FortiGate is down. Also, set the group name and password.

You can use the FTC MFA service with a cluster of auth devices. Both single and multiple auth devices in a cluster are supported. You can add or remove auth devices on the FTC portal. For example, let’s say you have a system admin who maintains multiple auth devices, and some of them are FortiGate HA cluster members. The system admin has set one FortiGate cluster member to be a standalone device. The FTC system admin can check if FortiGate standalone device has been removed from the FTC device cluster. If it still shows up in the cluster due to it being out-of-sync between FortiGate and FTC, the system admin can manually take it out.

Previous
Next

Auth clients in HA mode

Auth clients in an HA cluster are shared by all members of the cluster. This is to ensure that the cluster members are using the same auth clients to preserve HA functionality. For more information about how to configure HA clusters in the GUI, see the FortiProducts section.

Before creating an HA cluster, make sure that the FortiGates are running the same version of the FortiOS and that the interfaces are not configured to get their addresses from DHCP or PPPoE. Also, switch ports are not allowed to be used as HA heartbeat interfaces. If necessary, convert switch ports to individual interfaces.

Configuring the primary FortiGate

  1. On the primary FortiGate, go to System > Settings and change the Host name to identify it as the primary FortiGate in the HA cluster.

  2. Go to System > HA and set the Mode to Active-Passive. Set the Device priority to a higher value than the default (in the example, 250) to ensure that this FortiGate will always be the primary FortiGate. Also, set the group name and password.

  3. Make sure you select the Heartbeat interfaces (in the example, the HA port if it exists; it does not have to use port3 or port4).

Single heartbeat interface:

Multiple heartbeat interfaces:

Configuring a backup FortiGate

  1. On the backup FortiGate, go to System > Settings and change the Host name to identify it as the backup FortiGate in the HA cluster.

  2. Go to System > HA and set the Mode to Active-Passive. Set the Device priority to a lower value than the primary (for example, 200) to ensure that this FortiGate will always be the backup FortiGate, only to be activated when the primary FortiGate is down. Also, set the group name and password.

You can use the FTC MFA service with a cluster of auth devices. Both single and multiple auth devices in a cluster are supported. You can add or remove auth devices on the FTC portal. For example, let’s say you have a system admin who maintains multiple auth devices, and some of them are FortiGate HA cluster members. The system admin has set one FortiGate cluster member to be a standalone device. The FTC system admin can check if FortiGate standalone device has been removed from the FTC device cluster. If it still shows up in the cluster due to it being out-of-sync between FortiGate and FTC, the system admin can manually take it out.

Previous
Next