Migrating from FortiGate Cloud legacy multitenancy to FortiCloud Organizations
The following provides instructions on upgrading from FortiGate Cloud legacy subaccount-based multitenancy to multitenancy with FortiCloud Organizations. The following summarizes the benefits of multitenancy with FortiCloud Organizations over legacy multitenancy:
Feature |
Legacy |
FortiCloud Organizations |
---|---|---|
Centralized dashboard |
N/A |
Centralized dashboard with widgets |
Scope |
All assets under one FortiCloud account |
Works across multiple FortiCloud accounts |
Device management |
Run firmware upgrades and scripts on multiple devices in one account |
Run firmware upgrades and scripts on multiple devices across accounts |
Device transfer |
N/A |
Transfer devices between accounts with data options |
Role-based access control |
Admin and read-only |
Fine-grained permissions |
This document provides an example where a FortiGate Cloud legacy multitenancy account has 7 subaccounts that manages 210 devices. The following shows the current subaccount structure and the desired FortiCloud organizational unit (OU) and member account structure after the migration:
FortiGate Cloud subaccount structure |
FortiCloud OU and member account structure |
---|---|
All (8)
|
MSSP-Org
|
The following summarizes components in the FortiCloud Organizations structure:
Terminology |
Example |
Description |
---|---|---|
OUs |
|
Root organization and child OUs in the organization. MSSP-Org is created when you create the organization. OU-1 and OU-2 are sub-OUs created to logically separate operations. For example, you may want to separate operations based on region or office branches. |
FortiCloud account |
|
FortiCloud accounts in the organization. MSSP FortiCloud Account-A is the FortiCloud account of the MSSP and used for maintaining global inventory. Customer acct-1 and acct-2 are customer accounts with several Fortinet devices. |
MSSP FortiCloud account owner |
org-account-owner |
FortiCloud account that created and owns the organization. For example, this account may only be able to access MSSP-Org and MSSP FortiCloud Account-A. |
MSSP IAM user with full privileges |
org-iam-admin |
Organization-level admin user with full privileges to access the entire organization. For example, this account can access MSSP-Org, MSSP FortiCloud Account-A, Customer acct-1, and Customer account-2. |
Customer IAM user with limited privileges |
customer-iam-admin |
Organization-level IAM user with specific privileges. You can manage privileges using permission profiles. Can access some customer accounts in the organization. For example, this account may only be able to access Customer acct 1 and Customer 3, customer accounts with several Fortinet devices. |
Customer FortiCloud account owner |
customer-1-account-owner |
Customer FortiCloud account created by customer 1 who joined the organization. For example, this account may only be able to access Customer acct 1, a customer account with several Fortinet devices. |
Each subaccount may have:
|
Migration consists of the following general steps:
- For each high-level subaccount, create an OU. For example, to replace Subaccount-1, create OU-1.
- For each subaccount with FortiGates, create a new customer FortiCloud account. For example, for Customer subaccount 1, create Customer acct-1.
- Move the FortiGates to the new customer FortiCloud account. For example, move the ten FortiGates from Customer subaccount 1 to Customer acct-1.
- For subaccounts without FortiGates, you do not need to create new customer FortiCloud accounts.
The account that creates the organization, MSSP FortiCloud Account-A in this example, is automatically added to the Organization and contains the FortiGates from the default subaccount upon migration. |
To migrate from FortiGate Cloud legacy multitenancy to FortiCloud Organizations:
- Log in to the desired FortiCloud account, MSSP FortiCloud Account-A in this example. Create an organization. See Creating an organization.
- Create the sub-OUs, OU-1 and OU-2 in this example. See Adding and deleting OUs.
- Create a customer FortiCloud account for each customer, Customer acct-1 and Customer acct-2 in this example. See Creating new Member Accounts. Select I want to use real email to enable login to the customer account with email/password with full privileges in addition to login via IAM. To set password, customer can use Forget Password during the first-time login.
- Configure users and access permissions:
- Log in to FortiCloud as MSSP FortiCloud Account-A.
- Go to the IAM portal.
- Create the necessary Organization permission profiles. See Creating a permission profile. The following provides examples of the profiles configured for this example:
Profile name
Permissions
Description
full-admin-access
- Asset Management: Admin
- FortiGate Cloud: Admin
- Admin access to the Asset Management portal and FortiGate Cloud
- No access to other cloud services
customer-1-fgtc-access
FortiGate Cloud: Admin
- Admin access to FortiGate Cloud to view the devices
- No access to other FortiCloud services
customer-2-fgtc-asset-access
- Asset Management: Read- Only
- FortiGate Cloud: Admin
- Admin access to FortiGate Cloud to view the devices
- Read-Only access to asset management
- No access to other FortiCloud services
- Create the necessary IAM users. See Creating a new IAM user. The following provides examples of the users configured for this example:
IAM username
OU scope (OU)
Permission profile
org-iam-admin
MSSP-Org
full-admin-access
customer1-user
Customer-1
customer-1-fgtc-access
customer2-user
Customer-2
customer-2-fgtc-asset-access
To map legacy subaccount users to the new OU IAM users, in FortiGate Cloud, go to Settings > Account Setting. Click Export. You can use this to track the association between each subaccount user and its current subaccounts.
- Transfer FortiGates to customer accounts:
- Log in to FortiGate Cloud. The OU Dashboard displays.
- Go to Assets > Asset list.
- Select the desired account.
- Select the desired devices.
- Click Transfer FortiGates.
- From the To dropdown list, select the desired account to transfer the device to.
- Select the desired data transfer option. If you select Migrate data to new account, the device's configuration backups, existing logs, report instances, and report configurations are migrated to the new account.