Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 26.1.a
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Admin Guide

    26.1.a
    26.1.a

    Independent token

    Independent token

    When Multi-Realm Mode is enabled (Settings>Global>Multi-Realm Mode), newly registered applications will be assigned to new realms. This function is very convenient for admin users who are in Managed Security Service Provider (MSSP) business.

    1. FortiGate1 with serial number (FG200ETK1990xxxx) and FortiGate2 with serial number (FG300ETK1990xxxx) are registered under the same FC account.

    2. As long as the realm has enough resources, FIC will automatically create two realms: FG200ETK1990xxxx-root and FG300ETK1990xxxx-root, and FGT1 and FGT2 will be assigned to those two separate realms.

    3. In this case, a user created in FGT1 named “Jack Taylor” is assigned one token, and a user created in FGT2 named “Jack Taylor” is assigned another token. They are two separate users with the same username but use different tokens.

    4. If the two “Jack Taylors” exist in two realms, some events could be confusing. For example, if “Jack Taylor” is deleted from FGT1, the “Jack Taylor” still exists in FIC. This scenario looks like "Jack Taylor" has never been deleted on FGT1. In fact, the “Jack Taylor” is no longer in FGT1, but only exists in FGT2.

    5. Solution: Log into FGT2 and delete “Jack Taylor”. Then execute the console command “exec fortitoken-cloud sync” in FGT. This will remove the user “Jack Taylor” in FIC. After deleting the user in FGT2, assign application FGT1 and application FGT2 to the same realm, for example, the “default” realm. This will prevent the situation from happening.

    Previous
    Next

    Independent token

    Independent token

    When Multi-Realm Mode is enabled (Settings>Global>Multi-Realm Mode), newly registered applications will be assigned to new realms. This function is very convenient for admin users who are in Managed Security Service Provider (MSSP) business.

    1. FortiGate1 with serial number (FG200ETK1990xxxx) and FortiGate2 with serial number (FG300ETK1990xxxx) are registered under the same FC account.

    2. As long as the realm has enough resources, FIC will automatically create two realms: FG200ETK1990xxxx-root and FG300ETK1990xxxx-root, and FGT1 and FGT2 will be assigned to those two separate realms.

    3. In this case, a user created in FGT1 named “Jack Taylor” is assigned one token, and a user created in FGT2 named “Jack Taylor” is assigned another token. They are two separate users with the same username but use different tokens.

    4. If the two “Jack Taylors” exist in two realms, some events could be confusing. For example, if “Jack Taylor” is deleted from FGT1, the “Jack Taylor” still exists in FIC. This scenario looks like "Jack Taylor" has never been deleted on FGT1. In fact, the “Jack Taylor” is no longer in FGT1, but only exists in FGT2.

    5. Solution: Log into FGT2 and delete “Jack Taylor”. Then execute the console command “exec fortitoken-cloud sync” in FGT. This will remove the user “Jack Taylor” in FIC. After deleting the user in FGT2, assign application FGT1 and application FGT2 to the same realm, for example, the “default” realm. This will prevent the situation from happening.

    Previous
    Next