FortiGate Cloud – Multitenancy

Leave a reply

Multitenancy

The multitenancy account is a FortiGate Cloud premium account designed for MSSPs. A multitenancy account is a oneor five-year service for an administrator to create and manage multiple subaccounts. It also allows you to move devices between these accounts. You can allocate administrators to each subaccount with full or read-only access, allowing more control over a managed service’s provisioning.

After you activate multitenancy, FortiGate Cloud replaces the default Analysis, Management, and SandBox homepages with the multitenancy Analysis, Management, and SandBox homepages.

You can access management actions from the multitenancy homepage. Some actions are not unique to multitenancy and are described elsewhere in this document. For descriptions of these functions, see Analysis on page 16, Management on page 29, and SandBox on page 35.

To activate multitenancy:

  1. Contact your Fortinet partner or reseller, requesting the following SKU: FCLE-10-FCLD0-161-02-DD. They email you a multitenancy activation code.
  2. In the FortiGate Cloud interface, select the My Account
  3. Under the admin/user list, select Activate multi-tenancy feature.
  4. Enter the activation code, and click Submit.

To configure basic multitenancy:

  1. On the Inventory page, select Import FortiCloud Key or Import Bulk Key to add multiple FortiGate Cloud licenses at once.
  2. On the FortiGate Inventory subpage, select one or multiple devices, and select Deploy to FortiGate Cloud. Select the subaccount for the selected devices and template, if any. You can also select a timezone for the devices.
  3. Click Deploy. The devices are moved to the FortiGate Cloud Deployed

To assign a device to a subaccount on the homepage:

Assigning a device to a new subaccount keeps the device data in FortiGate Cloud, including logs, reports, and configuration backup, and moves this data to the new subaccount. To delete this data, you must undeploy your device from FortiGate Cloud, then assign it to the desired subaccount.

 

You can assign a device to a different subaccount, including RMA devices.

  1. On the multitenancy homepage, click the Config icon beside the desired device, then click Assign To.
  2. In the Assign To dialog, select the desired subaccount, then click Submit.
  3. In the confirmation dialog, click YES.

To manage subaccounts:

  1. The multitenancy homepage lists subaccounts on the left panel. To manage a subaccount, click the desired subaccount. From the dropdown list, select the desired management action.
  2. On the multitenancy page, click the My Account You can view all accounts associated with this FortiGate Cloud. Use the dropdown list to view Global, SubAccount, or All Users. You can see in this dialog that users have different roles. For descriptions of the roles, see User roles on page 44.
  3. Click the Edit icon for the desired account.
  4. In the My Account > Edit User dialog, for Manage Sub Account, select Selected. Select the desired subaccounts for this user to manage.

User roles

The multitenancy account includes different user roles. You can view users and their roles by clicking the My Account icon.

User role Description
Admin (All) Administrator who can access devices under all subaccounts.
Admin (1) Administrator who can only access devices under the one subaccount that is assigned to them, including the assigned subaccount’s child subaccounts.
Regular (All) Regular user who has view-only access to all subaccounts.
Regular (1) Regular user who has view-only access to all subaccounts, including the assigned subaccount’s child subaccounts.

Admin (All)

The Admin (All) user can view and access all subgroups on the left pane, and use Management functions.

Admin (1)

The Admin (1) user can only access devices under the one subaccount assigned to them (and any child subaccounts), as shown in the left pane. They can access Management functions.

Regular (All)

The Regular (All) user has view-only access to all subgroups, but has no access to Management functions.

Regular (1)

The Regular (1) user has view-only access to devices under the subaccount assigned to them (and any child subaccounts), as shown in the left pane. In this example, the user is assigned access to the sub_2 subaccount, which means they can also view devices assigned to the sub_2_a and sub_2_b subaccounts, which are children of the sub_2 subaccount. The Regular (1) user cannot access Management functions.

Group management

Multitenancy also enables group management actions. You can apply actions to a group of FortiGate and FortiWifi devices, simplifying administrative tasks.

Some group management actions require that you enable management on the selected device. See Management on page 29.

You can access group management actions from the Analysis and Management homepages when multitenancy is enabled.

Some actions are not unique to group management and are described elsewhere in this document in the context of use on a single device; multitenancy simply offers the ability to apply the action to multiple devices. For descriptions of these functions, see the following topics:

Schedule Report To schedule a report: on page 25
Deploy Config To deploy cloud configuration to devices: on page 31
Upgrade Firmware To upgrade remote device firmware: on page 32
Run Script To execute a script on a remote device: on page 33
Set Auto Backup To enable auto backup: on page 31
Manage Report Configs Reports on page 24
Manage Scripts Script on page 33

The following describes actions exclusive to group management:

To view group task status:

You can view the current status of group management actions.

  1. On the Management homepage, click Group Management > Task Status. The Group Task Status displays the group management actions and their statuses. You can click # devices beside the task type to view the devices

that the group management action was applied to.

Templates

You can create device configuration templates and deploy different templates to applicable devices to simplify device management. FortiGate Cloud applies the template to the selected devices.

To create a template:

  1. On the Management homepage, click Group Management > Manage Templates.
  2. Click Create Template.
  3. In the Name field, enter the desired template name.
  4. In the Description field, enter the desired template description.
  5. For Create template based on, select one of the following:
Option Description
In-cloud config copy of sampling device Create a template based on a sample device that has already been added to FortiGate Cloud. Select the desired device from the dropdown list. Only devices from the subaccount selected in Sub Account are available.
Platform and version Create a template based on a specific FortiGate or FortiWifi platform and FortiOS version.
Config file Create a template based on a configuration file. You must upload a .conf file.
  1. For Feature set, select the desired features.
  2. For Sub Account, select the desired sub account for this template.
  3. Click Apply.

To apply a template to devices:

  1. On the Management homepage, select the desired devices
  2. Click Group Management > Use Templates.
  3. In the Use Templates dialog, select the desired template. The dialog only shows templates applicable for the current selected devices.
  4. Click Apply. FortiGate Cloud applies the template to the selected devices.

To revoke templates from devices:

  1. On the Management homepage, select the desired devices.
  2. Click Group Management > Un-use Templates.
  3. Click Apply. FortiGate Cloud revokes the templates from the selected devices.

To edit a template:

  1. On the Management homepage, go to Group Management > Manage Templates.
  2. Click the Edit icon for the desired template.
  3. For a template that has already been applied to devices, you can configure device-specific settings:
    1. Go to the desired configuration page, then expand Device Specific Settings.
    2. Click Create New.
    3. In the New Device Specific Settings dialog, select the desired device’s serial number from the SN dropdown list.
    4. To configure a device-specific setting, enable Override Template Setting, then configure the desired option. Otherwise, FortiGate Cloud applies the template setting to the device. Click OK.

The example configures a device-specific setting for the time zone using Cape Verde Island time, which differs from the template setting, which uses Jerusalem time.

 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiGate Cloud on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.