Support multi-tenant FortiClient Cloud fabric connectors 7.4.4
|
This information is also available in the FortiOS 7.4 Administration Guide: |
Before this enhancement, a FortiGate can only connect to the FortiClient Cloud instance that is registered under the root FortiCloud account. FortiGate now supports connecting to a FortiClient Cloud instance registered under a sub-OU in FortiCloud. Furthermore, a FortiGate can override FortiClient Cloud access key setting on a per-VDOM basis. With these enhancements, a FortiGate can support FortiClient Cloud in multi-tenancy scenarios.
Scope and limitations
-
The FortiGate will perform an entitlement check on the registered FortiCloud Account to verify a FortiClient Cloud entitlement exists on the root FortiCloud account. If the FortiGate has no FortiClient Cloud entitlement, you cannot select the FortiClient EMS Cloud type or input an access key.
-
Using the FortiClient Cloud access key, a FortiGate can connect to a FortiClient Cloud instance belonging to a sub-OU in the same FortiCloud account or a different FortiCloud account.
-
Within the same VDOM, the FortiGate can have an EMS connector connecting to multiple FortiClient Cloud instances.
CLI syntax
config endpoint-control fctems-override
edit 1
set status enable
set name <name>
set fortinetone-cloud-authentication enable
set cloud-authentication-access-key <key>
next
end
key
|
Enter the access key found in the FortiClient Cloud instance. |
For additional EMS related settings, see Configuring FortiClient EMS.
Example
In this example, a FortiGate will connect to different FortiClient Cloud instances between the Global EMS connector, root and vdom1.
To connect to different FortiClient Cloud instances:
-
Obtain the access by from FortiClient Cloud by going to FortiCloud > FortiClient Cloud.
-
Click Access Key and switch to the FortiGate Access Key tab.
-
Click Create New Key to generate a new key.
-
Repeat this for another FortiClient Cloud instance to be applied to vdom1.
-
On the FortiGate with multi-VDOM enabled, configure the Global EMS connector:
config global config endpoint-control fctems edit 2 set status enable set name "Cloud_EMS_Global" set fortinetone-cloud-authentication enable set serial-number "FCTEMSXXXXXXXXXX" set tenant-id "00000000000000000000000000000000" next end end -
Switch to and configure the root VDOM:
config vdom edit root config endpoint-control settings set override enable end config endpoint-control fctems-override edit 1 set status enable set name "cloud_ems_root" set fortinetone-cloud-authentication enable set cloud-authentication-access-key "XXXXXXXXXXXXXXXXXXXX" set serial-number "FCTEMSXXXXXXXXXX" set tenant-id "00000000000000000000000000000000" next end next end -
Repeat the same steps for vdom1:
config vdom edit vdom1 config endpoint-control settings set override enable end config endpoint-control fctems-override edit 1 set status enable set name "cloud_vdom1" set fortinetone-cloud-authentication enable set cloud-authentication-access-key "XXXXXXXXXXXXXXXXXXXX" set serial-number "FCTEMSXXXXXXXXXX" set tenant-id "00000000000000000000000000000000" next end next end
Troubleshooting and debugs
From the CLI, run the following commands. A successful connection will look like the following.
# diagnose endpoint filter show-large-data yes
# diagnose debug application fcnacd -1
# diagnose debug enable
…
[ec_ez_worker_base_prep_resolver:382] Outgoing interface index 0 for 1 (cloud_vdom1).
[ec_ez_worker_prep_data_url:190] Full URL: https://sf.00000-XXXXXXXXXXXXXXXXXXXX.fortinet-ca2.fortinet.com/api/v1/system/serial_number
[ec_ez_worker_base_prep_ssl:429] verify peer method: 3, current ssl_cb: (nil), new ssl_cb: 0x55c1163571b0
[ec_ems_context_submit_work:642] Call submitted successfully.
obj-id: 0, desc: REST API to get EMS Serial Number., entry: api/v1/system/serial_number.
[__match_server_cert_key:462] verify_peer_method: 3