Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Multi-Tenancy Support Guide

    Home FortiSOAR 7.6.0 Multi-Tenancy Support Guide
    7.6.0
    7.6.0
    7.5.0
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.3.1
    7.3.0
    7.2.1
    7.2.0
    7.0.2
    7.0.1
    7.0.0

    Overview of Multi-tenancy support in FortiSOAR

    Overview of Multi-tenancy support in FortiSOAR

    FortiSOAR provides additional features and out-of-the box configuration for a multi-tenant environment, enhancing its native support for multi-tenancy for managed security services providers (MSSPs). The FortiSOAR platform supports multi-tenancy in either of the following forms as well as a hybrid of both forms:

    • Distributed Tenancy support: Used by MSSPs to provide services to remote tenants. In this case, each tenant will have its own FortiSOAR instance that will also automatically communicate to a master FortiSOAR instance having visibility across all the tenants. For more information, see the Distributed Tenancy Support chapter.
    • Shared Tenancy support: Used by master (teams like the SOC team) to provide services to local tenants. In this case, you have only a single FortiSOAR instance, wherein multiple tenants will access a single FortiSOAR instance. For more information, see the Shared Tenancy Support chapter.

    When multi-tenancy is enabled for the FortiSOAR platform, all alerts, incidents, and other forms of records created are associated with a tenant. RBAC and ownership rules applied to each tenant govern who has visibility to which records, thereby restricting visibility of one tenant's records to the other, but at the same time, providing the service provider a single consolidated view across tenants.

    Tenants act like a wrapper that can contain multiple agents, which can connect to various disparate networks and remotely execute action. In the case of dedicated tenants, a default agent is automatically created and added to the dedicated tenant as part of the tenant creation process. In the case of shared tenancy, you do not require to create an agent for that tenant, since everything in case of a shared tenant runs on the master instance only using the master agent. If you require to run some actions on a separate network, then you can add and configure another agent, associate that with the shared tenant. The RBAC of this agent will be controlled by correct team assignment. Further, you can also add multiple agents to both shared and dedicated tenants. For more information on agents and how to run remote actions using agents, see the Segmented Network support in FortiSOAR chapter in the "Administration Guide."

    Licensing for Multi-Tenancy

    For multi-tenancy support, you require a FortiSOAR license that has been enabled for multi-tenancy. Therefore, when you are generating a license in FortiCare, ensure that you generate a license that has multi-tenancy support, i.e., a license with "Edition" set to 'Multi-Tenant' and "Role" set as 'Manager' for a master node (as shown in the following image), 'Tenant (Single user locked)' for a dedicated tenant node and 'Tenant (Multiple user capable)' for organizations having a distributed SOC:
    Master node license page
    For more information about licensing, see the Licensing FortiSOAR chapter in the "Deployment Guide."

    You can deploy the FortiSOAR license using the FortiSOAR Admin CLI (csadm) as follows:

    SSH to your FortiSOAR VM and login as a root user and run the # csadm license --deploy-license <License File Path> command. For more information on csadm, see the FortiSOAR Admin CLI chapter in the "Administration Guide."

    You will see a Multi Tenancy section in your System page by clicking the Settings icon on the top-right corner of FortiSOAR, only if your FortiSOAR license has been enabled for multi-tenancy.

    Note

    After your license is deployed, FortiSOAR runs a Publish on the instance. If during this time, you try to open the FortiSOAR UI, you might see a "Publish In Progress" message. Also, you cannot revert the environment to a non-multitenant environment once you have deployed the license.

    Notes for upgraded multi-tenant configurations

    • You can upgrade a FortiSOAR distributed multi-tenant configuration to 7.6.0 from 7.2.1 or 7.2.2 only. For the upgrade procedure, see the "Upgrade Guide."
    • In case of a distributed deployment, both the master and the tenant nodes must be upgraded. A version mismatch will not work if either of them upgrades to 7.6.0.
    • From version 6.4.1 onwards, each dedicated tenant automatically creates an agent that can be used to remotely execute actions. You can add multiple agents to a tenant, therefore, tenants become a wrapper that can contain various agents that can connect to various disparate networks. For more information on agents, see the Segmented Network support in FortiSOAR chapter in the "Administration Guide."

    Recommended Resource Requirements for Virtual Machines (VM)

    For Master and Tenant

    Recommended Specifications

    • 12 available vCPUs
    • 48 GB available RAM
    • 1 TB available disk space: Recommended to have high-performance storage, preferably SSDs.
    • 1 vNIC

    For Secure Message Exchange

    Recommended Specifications

    • 8 available vCPUs
    • 16 GB available RAM
    • 100 GB available disk space: Recommended to have high-performance storage, preferably SSDs.
    • 1 vNIC

    Architecture

    The overall architecture of the FortiSOAR Distributed Multi-Tenancy Model:

    Architecture of the FortiSOAR Distributed Multi-Tenancy Model

    A brief description of how FortiSOAR supports the Distributed Multi-Tenancy model follows:

    • A master FortiSOAR node is installed and configured at the MSSP (Service Provider) location.
    • A FortiSOAR tenant node is installed and configured for each tenant (customer) location, same as configured for the master node.
      Note: Each of these FortiSOAR installations (both master as well as tenants) are fully functional standalone instances. They are additionally enabled for automatic replication of data between them, and also for remotely executing workflows at the tenant node from the master node itself.
      • Communication between the master and tenant nodes are done over a secure channel using the Secure Message Exchange.
        Each tenant node communicates with the secure message exchange on a dedicated space that is access controlled with credentials that are unique to each tenant.
        The secure message exchange ensures a guaranteed message delivery irrespective of whether the target node is up or not at the time the message is sent. The messages are queued and delivered to the target node once it comes online. This prevents message loss during network disruptions.

    An example: The master FortiSOAR node is monitoring the tenants' FortiSOAR instance, and if for example, the investigation requires to run a playbook to get the reputation of a particular IP address from the tenants' end, then this facility allows the master node to run the playbook remotely at the tenant's end. The playbook will be run at the tenant node, using the tenant's credentials, for the 3rd-party connector for checking the IP reputation, and the remediation actions (if any), specified in the playbook, will also be done on the tenants' end.

    Previous
    Next

    Overview of Multi-tenancy support in FortiSOAR

    Overview of Multi-tenancy support in FortiSOAR

    FortiSOAR provides additional features and out-of-the box configuration for a multi-tenant environment, enhancing its native support for multi-tenancy for managed security services providers (MSSPs). The FortiSOAR platform supports multi-tenancy in either of the following forms as well as a hybrid of both forms:

    • Distributed Tenancy support: Used by MSSPs to provide services to remote tenants. In this case, each tenant will have its own FortiSOAR instance that will also automatically communicate to a master FortiSOAR instance having visibility across all the tenants. For more information, see the Distributed Tenancy Support chapter.
    • Shared Tenancy support: Used by master (teams like the SOC team) to provide services to local tenants. In this case, you have only a single FortiSOAR instance, wherein multiple tenants will access a single FortiSOAR instance. For more information, see the Shared Tenancy Support chapter.

    When multi-tenancy is enabled for the FortiSOAR platform, all alerts, incidents, and other forms of records created are associated with a tenant. RBAC and ownership rules applied to each tenant govern who has visibility to which records, thereby restricting visibility of one tenant's records to the other, but at the same time, providing the service provider a single consolidated view across tenants.

    Tenants act like a wrapper that can contain multiple agents, which can connect to various disparate networks and remotely execute action. In the case of dedicated tenants, a default agent is automatically created and added to the dedicated tenant as part of the tenant creation process. In the case of shared tenancy, you do not require to create an agent for that tenant, since everything in case of a shared tenant runs on the master instance only using the master agent. If you require to run some actions on a separate network, then you can add and configure another agent, associate that with the shared tenant. The RBAC of this agent will be controlled by correct team assignment. Further, you can also add multiple agents to both shared and dedicated tenants. For more information on agents and how to run remote actions using agents, see the Segmented Network support in FortiSOAR chapter in the "Administration Guide."

    Licensing for Multi-Tenancy

    For multi-tenancy support, you require a FortiSOAR license that has been enabled for multi-tenancy. Therefore, when you are generating a license in FortiCare, ensure that you generate a license that has multi-tenancy support, i.e., a license with "Edition" set to 'Multi-Tenant' and "Role" set as 'Manager' for a master node (as shown in the following image), 'Tenant (Single user locked)' for a dedicated tenant node and 'Tenant (Multiple user capable)' for organizations having a distributed SOC:
    Master node license page
    For more information about licensing, see the Licensing FortiSOAR chapter in the "Deployment Guide."

    You can deploy the FortiSOAR license using the FortiSOAR Admin CLI (csadm) as follows:

    SSH to your FortiSOAR VM and login as a root user and run the # csadm license --deploy-license <License File Path> command. For more information on csadm, see the FortiSOAR Admin CLI chapter in the "Administration Guide."

    You will see a Multi Tenancy section in your System page by clicking the Settings icon on the top-right corner of FortiSOAR, only if your FortiSOAR license has been enabled for multi-tenancy.

    Note

    After your license is deployed, FortiSOAR runs a Publish on the instance. If during this time, you try to open the FortiSOAR UI, you might see a "Publish In Progress" message. Also, you cannot revert the environment to a non-multitenant environment once you have deployed the license.

    Notes for upgraded multi-tenant configurations

    • You can upgrade a FortiSOAR distributed multi-tenant configuration to 7.6.0 from 7.2.1 or 7.2.2 only. For the upgrade procedure, see the "Upgrade Guide."
    • In case of a distributed deployment, both the master and the tenant nodes must be upgraded. A version mismatch will not work if either of them upgrades to 7.6.0.
    • From version 6.4.1 onwards, each dedicated tenant automatically creates an agent that can be used to remotely execute actions. You can add multiple agents to a tenant, therefore, tenants become a wrapper that can contain various agents that can connect to various disparate networks. For more information on agents, see the Segmented Network support in FortiSOAR chapter in the "Administration Guide."

    Recommended Resource Requirements for Virtual Machines (VM)

    For Master and Tenant

    Recommended Specifications

    • 12 available vCPUs
    • 48 GB available RAM
    • 1 TB available disk space: Recommended to have high-performance storage, preferably SSDs.
    • 1 vNIC

    For Secure Message Exchange

    Recommended Specifications

    • 8 available vCPUs
    • 16 GB available RAM
    • 100 GB available disk space: Recommended to have high-performance storage, preferably SSDs.
    • 1 vNIC

    Architecture

    The overall architecture of the FortiSOAR Distributed Multi-Tenancy Model:

    Architecture of the FortiSOAR Distributed Multi-Tenancy Model

    A brief description of how FortiSOAR supports the Distributed Multi-Tenancy model follows:

    • A master FortiSOAR node is installed and configured at the MSSP (Service Provider) location.
    • A FortiSOAR tenant node is installed and configured for each tenant (customer) location, same as configured for the master node.
      Note: Each of these FortiSOAR installations (both master as well as tenants) are fully functional standalone instances. They are additionally enabled for automatic replication of data between them, and also for remotely executing workflows at the tenant node from the master node itself.
      • Communication between the master and tenant nodes are done over a secure channel using the Secure Message Exchange.
        Each tenant node communicates with the secure message exchange on a dedicated space that is access controlled with credentials that are unique to each tenant.
        The secure message exchange ensures a guaranteed message delivery irrespective of whether the target node is up or not at the time the message is sent. The messages are queued and delivered to the target node once it comes online. This prevents message loss during network disruptions.

    An example: The master FortiSOAR node is monitoring the tenants' FortiSOAR instance, and if for example, the investigation requires to run a playbook to get the reputation of a particular IP address from the tenants' end, then this facility allows the master node to run the playbook remotely at the tenant's end. The playbook will be run at the tenant node, using the tenant's credentials, for the 3rd-party connector for checking the IP reputation, and the remediation actions (if any), specified in the playbook, will also be done on the tenants' end.

    Previous
    Next