Follow each section below to help you setup the Azure Subscription, Roles, and configure the Blob Storage in preparation to update the Azure installation on FortiCWP. If you have already done any of the configuration when adding the account, you do not need to repeat the same configuration.
- Setup Subscription
- Add Role to the Subscription
- Add Reader roles to multiple subscriptions simultaneously (optional)
- Setup Blob Storage
- Enable Blob Log Monitoring
- Setup Storage Blob Data Reader
- Update Account on FortiCWP
Make sure the user account that will be added on FortiCWP has one of the following role(s) before adding the account to FortiCWP:
- Global Administrator role
- Cloud Application Administrator and Global Reader roles
FortiCWP supports all types of Azure AD licenses. However, depending on the features supported by the Azure AD license, FortiCWP will only integrate features available to that license. For example, a free Azure AD license does not include sign-in activity report, thus FortiCWP cannot provide sign-in activities from the free Azure AD account.
Once you have your Azure license ready, you will need a subscription ID to use FortiCWP. If you do not have a subscription yet, please follow these steps:
- Log into the Azure portal Azure portal using your Azure account.
- Search and click on Subscriptions.
- Click on +Add button to add a subscription.
- Select the subscription desired and complete the rest of the billing steps.
Note: You will need a minimum of "Pay-As-You-Go" subscription to use FortiCWP.
Add a Reader, Owner, or User Access Administrator role to the Subscription that is going to be added FortiCWP. The purpose is to provide FortiCWP with read access to the resources under the Subscription.
- Search and click on Subscriptions.
- Click on the Subscription that is going to be used on FortiCWP.
- In the Subscription menu, click on Access control (IAM).
- Click on + Add and select "Add role assignment".
- In Add role assignment drop down menu, click on Select a role and select Reader, Owner, or User Access Administrator.
- Leave Assign access to as "User, group, or service principal".
- In Select field, search and select a member (user account) that will be associated with the role.
- Click Save to finish creating the Reader role.
|The user account should have a Global Administrator role or Cloud Application Administrator + Global Reader roles as stated in Role Requirement.|
To add multiple subscriptions to FortiCWP with one user account simultaneously, follow these steps to configure the subscriptions with read access. If the user account has Global Administrator role, only do step 6-9.
- Log in to Azure portal as the master account user.
- In the search field, search and click on "users".
- Click on the user that will be used when adding the Subscriptions to FortiCWP.
- In the middle Profile navigation menu, click on Assigned roles.
- Click +Add assignments to add Global reader role and Global Administrator role to the user. (Global Administrator role will be removed later)
- Log out of the master account user, and log back in as the user whom the new roles are assigned to.
- Search and click on "Azure Active Directory".
- In the middle Azure Active Directory navigation menu, click on Properties.
- Click Yes under Access management for Azure resources, and click save. This step allows the user to manage access of all Subscriptions under the Azure account.
- Log out of the user account, and log back in as the master account.
- Follow the steps 2-4 above, and remove the Global administrator role.
Now all the Subscriptions under the user account have Reader role, and you can add multiple Azure Subscriptions at the same time.
A Storage account with blob log monitoring enabled is required to install FortiCWP. If you do not have a storage account yet, please follow the steps below to create a storage account:
- From the portal page, search and click on storage account.
- Click +Create to create a storage account.
- Under Basics > Subscription field. Make sure you select the subscription that is linked to your subscription ID.
- In Resource group field, select a resource group based on your preference or create a new one.
- In Storage account name filed , enter an account name based on your preference.
- Click Review + create. Once validation passed, click Create.
Once storage account is created, to enable blob log monitoring:
- Select the storage account of interest.
- From the left menu, select Monitoring (classic) > Diagnostic settings.
- Turn On diagnostic logs. Under the Blob properties, enable Read/Write/Delete under Logging.
The last step is to grant Storage Blob Data Reader permission to the Azure AD user. This is a necessary step for FortiCWP DLP and virus scan to read and analyze the data stored in the Storage Blob account as well as integrating Azure cloud traffic in FortiCWP.
- From the Azure portal page, search and click Subscriptions.
- Select your subscription.
- Select Access Control (IAM), and click +Add, then Add role assignment pane will pop-up.
- In Role field, type and select Storage Blob Data Reader.
- In Assign access to field, leave it as Azure AD user, group, or service principal.
- In Select field, type and select the name or e-mail address of the Azure AD user.
- Click Save to complete granting the role to the Azure AD user.
At the end of this step, please confirm that your Azure AD account subscription has one of the following roles combinations as the table below:
|Reader and Blob Storage Reader|
|User Access Administrator and Blob Storage Reader|
|Owner and Blob Storage Reader|
Once you have done all the configurations, go back to FortiCWP to update the account.
- Log into FortiCWP with your account, and select Workload Protection.
- From the navigation menu, go to ADMIN > Account, click on the account's Action column and select Update Account.
- Review the key configuration summary and click Update Azure Account to be re-directed to Azure portal.
- Log in with your Azure account, and a permission request page will pop-up.
- Click Accept to grant FortiCWP with the permissions requested.
- Azure will be prompt you to grant the same permissions 3 more times, then you will be re-directed back to FortiCWP.