|
To join the device to FortiGate Cloud without the master account credentials, the device must first be registered to FortiCloud and provisioned to FortiGate Cloud using the FortiGate Cloud portal. An IAM user must be used to provision these devices.
Logging in as an IAM user.
The administrator should log in to FortiGate Cloud using an IAM user, following Logging in as an IAM user.
- The account ID should match the FortiCare account the device is already or will be registered to.
- The IAM user must have a permission profile including access to FortiGate Cloud.
If an administrator does not have an associated IAM user, another IAM user with FortiGate Cloud and user management permissions can create an appropriate one, see IAM users..
If no IAM users exist, the master account credential is required to create the first IAM user or migrate existing subusers to IAM users, following migration instructions in Identity & Access Management (IAM).
Note: An IAM user must be used for the provisioning step. If an email subuser attempts to provision a device to FortiGate Cloud, the email user will either be unable to login to FortiGate Cloud, or will provision the device to the email user's FortiGate Cloud account rather than the intended account.
Provision the device to FortiGate Cloud using the portal:
Note: An IAM user must be used for the provisioning step. If an email subuser attempts to provision a device to FortiGate Cloud, the email user will either be unable to log in to FortiGate Cloud or will provision the device to the email user's FortiGate Cloud account rather than the intended account.
Log in to FortiGate Cloud -> Assets -> Asset list -> Add FortiGate. See: Cloud provisioning v25.1.a.
If the device is not yet present in the Inventory, select 'Import FortiGate' using the FortiCloud or FortiDeploy key and select 'Provision after Import'. For a description of these keys and where they are found, see FortiCloud and FortiDeploy keys.
If the device is already registered to FortiCloud, a key is not needed. Select the unit and select 'Provision to FortiGate Cloud'.
The device is provisioned in the currently selected FortiGate Cloud region.
After provisioning, join the device to FortiGate Cloud using one of the following:
- ZTP central-management configuration using FortiDeploy. If the device was registered with a FortiCloud or FortiDeploy key, it will attempt to join FortiGate Cloud automatically after boot, assuming the following default configuration is present on the device.
config system central-management
set type fortiguard
end
This method only works successfully once per FortiDeploy key. If the unit is later removed from FortiGate Cloud and then repovisioned, use the FortiCloud key (printed on a sticker on the top of the device) or see the following methods.
- FortiGate Cloud auto-join (requires 1U or smaller form factor). If the device has the following configuration, it will attempt to join FortiGate Cloud automatically periodically.
config system central-management
set type fortiguard
end
config system fortiguard
set auto-join-forticloud enable <----- Default setting, but only available for mid-size and enterprise units.
end
-
Manual join from FortiGate CLI (requires administrator access to the FortiGate). If the device is not joining FortiGate Cloud automatically, or auto-join-forticloud is not applicable because of the unit's model, manual join can be triggered using this command:
config system central-management
set type fortiguard
end
execute fortiguard-log join
Each of these methods requires the device to be already provisioned in the FortiGate Cloud portal, and the device must have DNS and Internet connectivity.
If the FortiGate does not join after trying the methods above, troubleshoot FortiGuard and FortiGate Cloud connectivity issues using the following documents:
Organizations that are managing assets on behalf of several clients may benefit from leveraging IAM users in conjunction with FortiGate Cloud Organizations, see Organization Portal | Key concepts.
|
