Firmware upgrade
When upgrading the firmware on FortiAuthenticator devices in an HA cluster, specific steps must be taken to ensure that the upgrade is successful:
- Start the firmware upgrade on the active, or master, device. See Upgrading the firmware on page 17. The device will reboot. While the master device is rebooting, the standby, or slave, device becomes the master.
- Start the firmware upgrade on the new master device.
The device will reboot.
Once both devices have rebooted, the original master device will again be the master, while the slave device will return to being the slave.
If a situation arises where both devices are claiming to be the HA master due to a firmware mismatch, and the HA port of the device that is intended to be the slave cannot be accessed (such as when a crossover cable is being used), use the following steps:
- Shutdown the master device to which you have access, or, if physical access to the unit is not available to turn it back on, reboot the device. See System Information widget on page 25.
Note that, if rebooting the device, Step 2 must be completed before the device finishes rebooting, which is can be as short as 30 seconds.
- With the previously inaccessible device now accessible, upgrade its firmware to the required version so that both devices have the same version. The device will reboot.
- If you shutdown the device in Step 1, power it back on.
Once both devices are back online, they will assume the HA roles dictated by their respective HA priorities.
Firmware
The FortiAuthenticator firmware can be upgraded by either going to System > Administration > Firmware, or through the System Information widget of the dashboard (see System Information widget on page 25).
For instructions on upgrading the device’s firmware, see Upgrading the firmware on page 17.
Upgrade history
The upgrade history of the device is shown under the Upgrade History heading in the Firmware Upgrade or Downgrade pane. It displays the version that was upgraded to, the time and date that the upgrade took place, and the user that performed the upgrade. This information can be useful when receiving support to identify incorrect upgrade paths that can cause stability issues.
Always review all sections in the FortiAuthenticator Release Notes prior to upgrading your device.
Automatic backup
You can configure the FortiAuthenticator to automatically back up the configuration of the FortiAuthenticator unit to an FTP or SFTP server.
Even though the backup file is encrypted to prevent tampering, access to the FTP server should be restricted. This configuration file backup includes both the CLI and GUI configurations of the FortiAuthenticator unit. The backed-up information includes users, user groups, FortiToken device list, authentication client list, LDAP directory tree, FSSO settings, remote LDAP and RADIUS, and certificates.
To configure automatic backups, go to System > Administration > Config Auto-backup.
Enter the following information, and then select OK to apply the settings:
Enable configuration autobackup | Enable the configuration of automatic configuration backups. |
Frequency | Select the automatic backup frequency, one of: Hourly, Daily, Weekly, or Monthly. |
Backup time | Entire a time for the backups to occur, or select the clock icon and select from the drop-down menu. You can also select Now to set the scheduled time to the current time.
This options is not available when the frequency is set to hourly. |
FTP directory | Enter the FTP directory where the backup configuration files will be saved. |
FTP server | Select the FTP server to which the backup configuration files will be saved. See FTP servers on page 44 for information on adding FTP servers. |
Secondary FTP server | Select a secondary FTP server. |
SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You can configure the hardware, such as the FortiAuthenticator SNMP agent, to report system information and send traps (alarms or event messages) to SNMP managers. An SNMP manager, or host, is typically a computer running an application that can read the incoming trap and event messages from the agent, and send out SNMP queries to the SNMP agents.
By using an SNMP manager, you can access SNMP traps and data from any FortiAuthenticator interface configured for SNMP management access. Part of configuring an SNMP manager is listing it as a host in a community on the FortiAuthenticator unit it will be monitoring. Otherwise, the SNMP monitor will not receive any traps from that unit, or be able to query that unit.
The FortiAuthenticator SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers have read-only access to system information through queries and can receive trap messages from the FortiAuthenticator unit.
To monitor FortiAuthenticator system information and receive FortiAuthenticator traps, your SNMP manager needs the Fortinet and FortiAuthenticator Management Information Base (MIB) files. A MIB is a text file that lists the SNMP data objects that apply to the device to be monitored. These MIBs provide information that the SNMP manager needs to interpret the SNMP trap, event, and query messages sent by the FortiAuthenticator unit SNMP agent.
The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernet-like MIB) and most of RFC 1213 (MIB II). RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and partial support of User-based Security Model (RFC 3414).
SNMP traps alert you to important events that occur, such as overuse of memory or a high rate of authentication failures.
SNMP fields contain information about the FortiAuthenticator unit, such as CPU usage percentage or the number of sessions. This information is useful for monitoring the condition of the unit on an ongoing basis and to provide more information when a trap occurs.
Configuring SNMP
Before a remote SNMP manager can connect to the Fortinet agent, you must configure one or more interfaces to
accept SNMP connections by going to System > Network > Interfaces. Select the interface, and in Administrative Access, select SNMP. See Interfaces on page 30.
You can also set the thresholds that trigger various SNMP traps. Note that a setting of zero disables the trap.
To configure SNMP settings:
- Go to System > Administration > SNMP.
- Enter the following information:
SNMP Contact | Enter the contact information for the person responsible for this
FortiAuthenticator unit. |
SNMP Description | Enter descriptive information about the FortiAuthenticator unit. |
SNMP Location | Enter the physical location of the FortiAuthenticator unit. |
User Table Nearly Full Trap Threshold | The user table is nearly full. The threshold is a percentage of the maximum permitted number of users. |
User Group Table Nearly
Full Trap Threshold |
The user group table is nearly full. The threshold is a percentage of the maximum permitted number of user groups. |
RADIUS Auth Client Table Nearly Full Trap Threshold | The RADIUS authenticated client table is nearly full. The threshold is a percentage of the maximum permitted number of RADIUS clients. |
Auth Event Rate Over Limit Trap Threshold | High authentication load. The threshold is the number of authentication events over a 5-minute period. |
Auth Failure Rate Over
Limit Trap Threshold |
High rate of authentication failure. The threshold is the number of authentication failures over a 5-minute period. |
CPU Utilization Trap
Threshold (%) |
High load on CPU. Default 90%. |
Memory Utilization Trap Threshold (%) | Too much memory used. Default 90%. |
- Select OK to apply the changes.
To create a new SNMP community:
- Go to System > Administration > SNMP.
- Select Create New under SNMP v1/v2c. The Create New SNMP V1/v2c window opens.
- Enter the following information in the SNMPv1/v2c section:
Community | The name of the SNMP community. | |
Events | Select the events for which traps are enabled. Options include:
l CPU usage is high l Memory is low l Interface IP is changed l Auth users threshold exceeded l Auth group threshold exceeded l Radius NAS threshold exceeded l Auth event rate threshold exceeded l Auth failure rate threshold exceeded l User lockout detected. l HA status is changed |
- In SNMP Hosts, select Add anotherSNMP Host and enter the following information:
IP/Netmask | Enter the IP address and netmask of the host. |
Queries | Select if this host uses queries. |
Traps | Select if this host uses traps. |
Delete | Select to delete the host. |
- Select OK to create the new SNMP community.
To create a new SNMP user:
- Go to System > Administration > SNMP.
- Select Create New under SNMP v3. The Create New SNMP V3 window opens.
- Enter the following information in the General section:
Username | The name of the SNMP user. |
Security Level | Select the security level from the drop-down list:
l None: no authentication or encryption l Authentication only: select the Authentication method then enter the authentication key in the Authentication key field l Encryption and authentication: select the Authentication method, enter the authentication key in the Authentication key field, then select the Encryption method and enter the encryption key in the Encryption key field. |
Events | Select the events for which traps are enabled. See Events on page 41. |
- In SNMP Notification Hosts, select Add anotherSNMP Notification Host and enter the following information:
IP/Netmask | Enter the IP address and netmask of the notification host. |
Delete | Select to delete the notification host. |
- Select OK to create the new SNMP V3 user.
To download MIB files:
- Go to System > Administration > SNMP.
- Under FortiAuthenticator SNMP MIB, select the MIB file you need to download, options include the Fortinet Core MIB and the FortiAuthenticator MIB files.
The selected MIB file is downloaded to your computer.
Licensing
FortiAuthenticator-VM works in evaluation mode until it is licensed. In evaluation mode, only a limited number of users can be configured on the system. To expand this capability, a stackable licence can be applied to the system to increase both the user count, and all other metrics associated with the user count.
When a license is purchased, a registration code is provided. Go to support.fortinet.com and register your device by entering the registration code. You will be asked for the IP address of your FortiAuthenticator unit, and will then be provided with a license key.
Ensure that the IP address specified while registering your unit is configured on one of the device’s network interfaces, then upload the license key to your FortiAuthenticator-VM.
The License Information widget shows the current state of the device license. See License Information widget on page 29.
To license FortiAuthenticator:
- Register your device.
- Ensure that one of your device’s network interfaces is configured to the IP address specified during registration.
- Go to System > Administration > Licensing.
- Select .. and locate, on your local computer, the license file you received from Fortinet.
- Select OK.
Have you seen FortiAthenticator or Fortigate, for that matter, configured to utilize a third-party sms authentication (i.e. SMSGlobal) for on-boarding a guest wireless user?
Our Wireless is third-party as well and not managed by Fortigate.
We want to required the guest wireless user to enter their phone #, then in turn, receive a sms message with a passcode that they would enter to complete the on-board process.
Lots of companies facilitate the SMS piece, however, If it integrates with either the Fortigate or FortiAuthenticator, then I am missing something.
Thanks!!
We have configured FortiGates to utilize other SMS providers (mostly verizon) for 2FA / authentication means.
Are you referring to 2FA onto the Fortigate itself?
This particular article is discussing the FortiAuthenticator which is a separate Appliance / VM for authentication needs
we have two fortiauth VMs, we tried to create HA with primary-slave configuration. the issue we were facing that primary fac can see the peer device on it with the error message cluster not formed but on slave unit it is not showing any peer device, on cluster status it is showing cluster is formed but in peer device section it is showing it is not.
by help of TAC we could find out that the heart beet can be seen on the primary FAC by the slave FAC but the HA heatbeat cannot be reached to primary FAC from slave.
Primary FAC VM is on ESXi server which is connected to cisco fabric switch > cisco core switch > other side fabric switch > slave FAC VM on other side ESXi server.
we did assign separate vlan for HA connectivity and that vlan is been configured on fabric switch as well as the core and it is L2 only. so nothing is blocking the heartbeat broadcast in between these two FACs and no firewall in between as well. Do you have any idea what would be the cause of this issue?