Description
This article describes how to configure a redundant FSSO configuration with a Collector Agent.
Solution
In this scenario two DCs will be used: DC01 and DC02. Both Domain Controllers have FSSO Collector Agent installed.
By design, only one FSSO collector agent is connected per FortiGate unit at a time.
DC01
Check the FSSO server connection status with the following CLI commands:
Note.
The user databases and configurations to create these (monitored events, monitored DCs, must be the same).
DCAgents and TSAgents pointing to the Collector Agent MUST point to all configured Collectors.
This applies to the FortiAuthenticator in a collector role as well.
If there is fail over from one Collector to another and the user information is different, then apart from the reason for the failover, production might be impacted as some users suddenly are unknown to the FortiGate.
This article describes how to configure a redundant FSSO configuration with a Collector Agent.
Solution
In this scenario two DCs will be used: DC01 and DC02. Both Domain Controllers have FSSO Collector Agent installed.
By design, only one FSSO collector agent is connected per FortiGate unit at a time.
DC01
DC02
The FortiGate configuration is shown below, with differences between firmware versions. Starting from firmware version 6.0.0 onwards, the FSSO configuration was moved from "User & Device" to "Security Fabric". Prior to 6.0, the GUI would show in bold the active Collector Agent IP address. This is not available from 6.0 onward.
Configuration on 5.2, 5.4, 5.6
Configuration on 5.2, 5.4, 5.6
Configuration on 6.0, 6.2
Simulating a failover
A failover can be simulated by stopping or restarting the FSSO service on the primary Collector Agent, in this example DC01:
The FortiGate then switches to the next FSSO collector agent specified in configuration. On versions prior to 6.0 the switch is noticed with the bolded IP address shown:
In CLI the configuration is as follows:
# config user fsso
edit "fsso"
set server "10.0.0.10"
set password *********
set server2 "10.0.0.11"
set password2 *********
next
end
# diag debug enable
# diag debug authd fsso server-status
Server Name Connection Status Version Address
----------- ----------------- ------- -------
fsso connected FSSO 5.0.0278 10.0.0.10
After a failover the IP address would then change, so you can always trace the currently connected collector:
Server Name Connection Status Version Address
----------- ----------------- ------- -------
fsso connected FSSO 5.0.0278 10.0.0.11
Note.
The user databases and configurations to create these (monitored events, monitored DCs, must be the same).
DCAgents and TSAgents pointing to the Collector Agent MUST point to all configured Collectors.
This applies to the FortiAuthenticator in a collector role as well.
If there is fail over from one Collector to another and the user information is different, then apart from the reason for the failover, production might be impacted as some users suddenly are unknown to the FortiGate.
