Fortinet white logo
Fortinet white logo
24.3.0

Migrating from FortiGate Cloud legacy multitenancy to FortiCloud Organizations

Migrating from FortiGate Cloud legacy multitenancy to FortiCloud Organizations

The following provides instructions on upgrading from FortiGate Cloud legacy subaccount-based multitenancy to multitenancy with FortiCloud Organizations. The following summarizes the benefits of multitenancy with FortiCloud Organizations over legacy multitenancy:

Feature

Legacy

FortiCloud Organizations

Centralized dashboard

N/A

Centralized dashboard with widgets

Scope

All assets under one FortiCloud account

Works across multiple FortiCloud accounts

Device management

Run firmware upgrades and scripts on multiple devices in one account

Run firmware upgrades and scripts on multiple devices across accounts

Device transfer

N/A

Transfer devices between accounts with data options

Role-based access control

Admin and read-only

Fine-grained permissions

This document provides an example where a FortiGate Cloud legacy multitenancy account has 7 subaccounts that manages 210 devices. The following shows the current subaccount structure and the desired FortiCloud organizational unit (OU) and member account structure after the migration:

FortiGate Cloud subaccount structure

FortiCloud OU and member account structure

All (8)

  • Default (100)
  • Subaccount-1 (60)
    • Customer subaccount 1 (10)
    • Customer subaccount 2 (50)
  • Subaccount-2 (50)
    • Customer subaccount 3 (20)
    • Customer subaccount 4 (30)

MSSP-Org

  • MSSP FortiCloud Account-A (100 devices)
  • OU-1
    • Customer acct-1 (10 devices)
    • Customer acct-2 (50 devices)
  • OU-2
    • Customer acct-3 (20 devices)
    • Customer acct-4 (30 devices)

The following summarizes components in the FortiCloud Organizations structure:

Terminology

Example

Description

OUs

  • MSSP-Org
  • OU-1
  • OU-2

Root organization and child OUs in the organization.

MSSP-Org is created when you create the organization.

OU-1 and OU-2 are sub-OUs created to logically separate operations. For example, you may want to separate operations based on region or office branches.

FortiCloud account

  • MSSP FortiCloud Account-A
  • Customer acct-1
  • Customer acct-2

FortiCloud accounts in the organization.

MSSP FortiCloud Account-A is the FortiCloud account of the MSSP and used for maintaining global inventory.

Customer acct-1 and acct-2 are customer accounts with several Fortinet devices.

MSSP FortiCloud account owner

org-account-owner

FortiCloud account that created and owns the organization. For example, this account may only be able to access MSSP-Org and MSSP FortiCloud Account-A.

MSSP IAM user with full privileges

org-iam-admin

Organization-level admin user with full privileges to access the entire organization. For example, this account can access MSSP-Org, MSSP FortiCloud Account-A, Customer acct-1, and Customer account-2.

Customer IAM user with limited privileges

customer-iam-admin

Organization-level IAM user with specific privileges. You can manage privileges using permission profiles. Can access some customer accounts in the organization. For example, this account may only be able to access Customer acct 1 and Customer 3, customer accounts with several Fortinet devices.

Customer FortiCloud account owner

customer-1-account-owner

Customer FortiCloud account created by customer 1 who joined the organization. For example, this account may only be able to access Customer acct 1, a customer account with several Fortinet devices.

Note

Each subaccount may have:

  • One or more devices
  • One or more admin/regular users with access scope to "All" or a specific subaccount hierarchy

Migration consists of the following general steps:

  • For each high-level subaccount, create an OU. For example, to replace Subaccount-1, create OU-1.
  • For each subaccount with FortiGates, create a new customer FortiCloud account. For example, for Customer subaccount 1, create Customer acct-1.
  • Move the FortiGates to the new customer FortiCloud account. For example, move the ten FortiGates from Customer subaccount 1 to Customer acct-1.
  • For subaccounts without FortiGates, you do not need to create new customer FortiCloud accounts.
Note

The account that creates the organization, MSSP FortiCloud Account-A in this example, is automatically added to the Organization and contains the FortiGates from the default subaccount upon migration.

To migrate from FortiGate Cloud legacy multitenancy to FortiCloud Organizations:
  1. Log in to the desired FortiCloud account, MSSP FortiCloud Account-A in this example. Create an organization. See Creating an organization.
  2. Create the sub-OUs, OU-1 and OU-2 in this example. See Adding and deleting OUs.
  3. Create a customer FortiCloud account for each customer, Customer acct-1 and Customer acct-2 in this example. See Creating new Member Accounts. Select I want to use real email to enable login to the customer account with email/password with full privileges in addition to login via IAM. To set password, customer can use Forget Password during the first-time login.
  4. Configure users and access permissions:
    1. Log in to FortiCloud as MSSP FortiCloud Account-A.
    2. Go to the IAM portal.
    3. Create the necessary Organization permission profiles. See Creating a permission profile. The following provides examples of the profiles configured for this example:

      Profile name

      Permissions

      Description

      full-admin-access

      • Asset Management: Admin
      • FortiGate Cloud: Admin
      • Admin access to the Asset Management portal and FortiGate Cloud
      • No access to other cloud services

      customer-1-fgtc-access

      FortiGate Cloud: Admin

      • Admin access to FortiGate Cloud to view the devices
      • No access to other FortiCloud services

      customer-2-fgtc-asset-access

      • Asset Management: Read- Only
      • FortiGate Cloud: Admin
      • Admin access to FortiGate Cloud to view the devices
      • Read-Only access to asset management
      • No access to other FortiCloud services
    4. Create the necessary IAM users. See Creating a new IAM user. The following provides examples of the users configured for this example:

      IAM username

      OU scope (OU)

      Permission profile

      org-iam-admin

      MSSP-Org

      full-admin-access

      customer1-user

      Customer-1

      customer-1-fgtc-access

      customer2-user

      Customer-2

      customer-2-fgtc-asset-access

      Note

      To map legacy subaccount users to the new OU IAM users, in FortiGate Cloud, go to Settings > Account Setting. Click Export. You can use this to track the association between each subaccount user and its current subaccounts.

  5. Transfer FortiGates to customer accounts:
    1. Log in to FortiGate Cloud. The OU Dashboard displays.
    2. Go to Assets > Asset list.
    3. Select the desired account.
    4. Select the desired devices.
    5. Click Transfer FortiGates.
    6. From the To dropdown list, select the desired account to transfer the device to.
    7. Select the desired data transfer option. If you select Migrate data to new account, the device's configuration backups, existing logs, report instances, and report configurations are migrated to the new account.

Migrating from FortiGate Cloud legacy multitenancy to FortiCloud Organizations

Migrating from FortiGate Cloud legacy multitenancy to FortiCloud Organizations

The following provides instructions on upgrading from FortiGate Cloud legacy subaccount-based multitenancy to multitenancy with FortiCloud Organizations. The following summarizes the benefits of multitenancy with FortiCloud Organizations over legacy multitenancy:

Feature

Legacy

FortiCloud Organizations

Centralized dashboard

N/A

Centralized dashboard with widgets

Scope

All assets under one FortiCloud account

Works across multiple FortiCloud accounts

Device management

Run firmware upgrades and scripts on multiple devices in one account

Run firmware upgrades and scripts on multiple devices across accounts

Device transfer

N/A

Transfer devices between accounts with data options

Role-based access control

Admin and read-only

Fine-grained permissions

This document provides an example where a FortiGate Cloud legacy multitenancy account has 7 subaccounts that manages 210 devices. The following shows the current subaccount structure and the desired FortiCloud organizational unit (OU) and member account structure after the migration:

FortiGate Cloud subaccount structure

FortiCloud OU and member account structure

All (8)

  • Default (100)
  • Subaccount-1 (60)
    • Customer subaccount 1 (10)
    • Customer subaccount 2 (50)
  • Subaccount-2 (50)
    • Customer subaccount 3 (20)
    • Customer subaccount 4 (30)

MSSP-Org

  • MSSP FortiCloud Account-A (100 devices)
  • OU-1
    • Customer acct-1 (10 devices)
    • Customer acct-2 (50 devices)
  • OU-2
    • Customer acct-3 (20 devices)
    • Customer acct-4 (30 devices)

The following summarizes components in the FortiCloud Organizations structure:

Terminology

Example

Description

OUs

  • MSSP-Org
  • OU-1
  • OU-2

Root organization and child OUs in the organization.

MSSP-Org is created when you create the organization.

OU-1 and OU-2 are sub-OUs created to logically separate operations. For example, you may want to separate operations based on region or office branches.

FortiCloud account

  • MSSP FortiCloud Account-A
  • Customer acct-1
  • Customer acct-2

FortiCloud accounts in the organization.

MSSP FortiCloud Account-A is the FortiCloud account of the MSSP and used for maintaining global inventory.

Customer acct-1 and acct-2 are customer accounts with several Fortinet devices.

MSSP FortiCloud account owner

org-account-owner

FortiCloud account that created and owns the organization. For example, this account may only be able to access MSSP-Org and MSSP FortiCloud Account-A.

MSSP IAM user with full privileges

org-iam-admin

Organization-level admin user with full privileges to access the entire organization. For example, this account can access MSSP-Org, MSSP FortiCloud Account-A, Customer acct-1, and Customer account-2.

Customer IAM user with limited privileges

customer-iam-admin

Organization-level IAM user with specific privileges. You can manage privileges using permission profiles. Can access some customer accounts in the organization. For example, this account may only be able to access Customer acct 1 and Customer 3, customer accounts with several Fortinet devices.

Customer FortiCloud account owner

customer-1-account-owner

Customer FortiCloud account created by customer 1 who joined the organization. For example, this account may only be able to access Customer acct 1, a customer account with several Fortinet devices.

Note

Each subaccount may have:

  • One or more devices
  • One or more admin/regular users with access scope to "All" or a specific subaccount hierarchy

Migration consists of the following general steps:

  • For each high-level subaccount, create an OU. For example, to replace Subaccount-1, create OU-1.
  • For each subaccount with FortiGates, create a new customer FortiCloud account. For example, for Customer subaccount 1, create Customer acct-1.
  • Move the FortiGates to the new customer FortiCloud account. For example, move the ten FortiGates from Customer subaccount 1 to Customer acct-1.
  • For subaccounts without FortiGates, you do not need to create new customer FortiCloud accounts.
Note

The account that creates the organization, MSSP FortiCloud Account-A in this example, is automatically added to the Organization and contains the FortiGates from the default subaccount upon migration.

To migrate from FortiGate Cloud legacy multitenancy to FortiCloud Organizations:
  1. Log in to the desired FortiCloud account, MSSP FortiCloud Account-A in this example. Create an organization. See Creating an organization.
  2. Create the sub-OUs, OU-1 and OU-2 in this example. See Adding and deleting OUs.
  3. Create a customer FortiCloud account for each customer, Customer acct-1 and Customer acct-2 in this example. See Creating new Member Accounts. Select I want to use real email to enable login to the customer account with email/password with full privileges in addition to login via IAM. To set password, customer can use Forget Password during the first-time login.
  4. Configure users and access permissions:
    1. Log in to FortiCloud as MSSP FortiCloud Account-A.
    2. Go to the IAM portal.
    3. Create the necessary Organization permission profiles. See Creating a permission profile. The following provides examples of the profiles configured for this example:

      Profile name

      Permissions

      Description

      full-admin-access

      • Asset Management: Admin
      • FortiGate Cloud: Admin
      • Admin access to the Asset Management portal and FortiGate Cloud
      • No access to other cloud services

      customer-1-fgtc-access

      FortiGate Cloud: Admin

      • Admin access to FortiGate Cloud to view the devices
      • No access to other FortiCloud services

      customer-2-fgtc-asset-access

      • Asset Management: Read- Only
      • FortiGate Cloud: Admin
      • Admin access to FortiGate Cloud to view the devices
      • Read-Only access to asset management
      • No access to other FortiCloud services
    4. Create the necessary IAM users. See Creating a new IAM user. The following provides examples of the users configured for this example:

      IAM username

      OU scope (OU)

      Permission profile

      org-iam-admin

      MSSP-Org

      full-admin-access

      customer1-user

      Customer-1

      customer-1-fgtc-access

      customer2-user

      Customer-2

      customer-2-fgtc-asset-access

      Note

      To map legacy subaccount users to the new OU IAM users, in FortiGate Cloud, go to Settings > Account Setting. Click Export. You can use this to track the association between each subaccount user and its current subaccounts.

  5. Transfer FortiGates to customer accounts:
    1. Log in to FortiGate Cloud. The OU Dashboard displays.
    2. Go to Assets > Asset list.
    3. Select the desired account.
    4. Select the desired devices.
    5. Click Transfer FortiGates.
    6. From the To dropdown list, select the desired account to transfer the device to.
    7. Select the desired data transfer option. If you select Migrate data to new account, the device's configuration backups, existing logs, report instances, and report configurations are migrated to the new account.