Help
FortiGate Cloud
FortiGate Cloud provides cloud-based management for FortiGate devices.
Matt_B
Staff & Editor
Staff & Editor

Created on ‎03-11-2025 10:44 AM Edited on ‎03-11-2025 10:46 AM By Community Manager

Article Id 381503

Technical Tip: FortiGate Cloud Organizations basic deployment example

Description This article demonstrates a simple FortiGate Cloud Organizations deployment.
Scope FortiGate Cloud 24.3 and later.
Solution

FortiGate Cloud supports the FortiCloud Organizations feature by assigning FortiGate assets to Member Accounts and using IAM administrators to transfer the devices between sub-accounts.

 

High-level structure:

  • Organization - Top level.
  • Parent OU - one Parent OU per Organization. Created when the Organization is created.
  • SubOU - zero to many. Used to Organize subaccounts and other OUs.
  • Member Account - Member of an OU. Also called a subaccount. Represent a tenant and may have multiple assigned FortiGates.
  • FortiGate - each FortiGate deployed to FortiGate count is assigned to a Member Account or the primary account.

Organization IAM users are scoped to a particular OU or subaccount and may access resources at or below their scope.

 

Example Deployment:

 

    1. Create an Organization (FortiCloud)

Create an Organization in FortiCloud by following the instructions in FortiCloud - Creating an Organization.

Use the account to which the assets are currently deployed in FortiGate Cloud. Often this is the primary account holder, see Registering the primary FortiCloud account with FortiCare supportAfter creating an Organization, the account used appears as the Organization primary account in the Parent OU.

5.png

  1. Create subaccounts (FortiCloud).

 

(Optional) Create one or more SubOU for more granular account management by following the instructions in FortiCloud - Adding and deleting OUs. These OUs will not hold assets directly but may contain subaccounts or other OUs.

Create a subaccount (Member Account) to represent the managed customer as shown in FortiGate Cloud MSSP Deployment Guide - adding a subaccount. With a FortiCloud Premium license, an existing email ID can be used for new member accounts if required. Otherwise an ID will be autogenerated based on the account name.

Organizations created by a FortiCloud account with a FortiCloud Premium license may have an unlimited number of member accounts. Otherwise, an Organization may have up to ten member accounts. See the article FortiGate Cloud MSSP Deployment Guide - Multitenancy with FortiCloud Organizations.

10.png

 

  1. Create an Organization type IAM user with FortiGate Cloud permissions (FortiCloud).

Create an IAM user following the instructions in FortiCloud Services - Creating an IAM user with Organization permissions.

Permission Profile should have FortiGate Cloud read/write permissions, see FortiCloud Services - Creating a permission profile.

Permission Scope should be set such that the IAM user can interact with the organization accounts containing the assets. In this example, this is the Parent OU since all FortiGates were assigned to the primary account.

14.modif.png
  1. Login to FortiGate Cloud Organizations.

Login to FortiGate Cloud with an Organizations IAM user and select the Parent OU. Selecting an OU is required to login to FortiGate Cloud Organizations.

18.png
If a Member Account is selected instead, the IAM user will be logged in to FortiGate Cloud and will have to perform an 'OU context switch' to switch to the FortiGate Cloud Organizations portal. See the article FortiCloud IAM - OU context switch.

28.modif.png
  1. Transfer FortiGate to new Member Account (FortiGate Cloud Organizations).


Transfer FortiGates to the desired subaccount following the instructions in the previously shared document FortiGate Cloud MSSP Deployment Guide - Multitenancy with FortiCloud Organizations.

20.modif.png
Note that at the time of Organization creation, all FortiGates deployed to FortiGate Cloud were associated with the primary account.

If the assets are not visible, logout and verify the IAM user is logged in to the intended region.

Global: portal.ca.fortigate.forticloud.com
US: portal.us.fortigate.forticloud.com
Europe: portal.eu.fortigate.forticloud.com

If no assets are visible in any region, verify the assets are deployed to FortiGate Cloud. For one deployment method, see Technical Tip: How to register and activate a FortiGate Cloud account.

 

  1. View the assets in FortiGate Cloud (FortiGate Cloud).

Perform an OU Context Switch from an OU to the Member Account from the top-right OU dropdown. Alternatively, log in to FortiGate Cloud using an IAM user with Organization type and select the new Member Account. 

30.png
The transferred FortiGates are visible and can be managed by the IAM user according to their Permission Profile.

25.modif.png


The example above does not migrate licenses or asset registration to another FortiCare account. See the Administration Guide if required to move FortiGate registrations.

Related article:

FortiCloud IAM - Logging into an OU account 
706
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.