Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mdibaee
Staff
Staff

Created on ‎10-30-2023 12:41 AM

Article Id 281766

Technical Tip: IAM user behavior on FortiCloud SSO admin versus FortiGate Cloud SSO admin

Description

 

This article describes how IAM users are added under FortiGate configuration as either FortiCloud SSO admin or FortiGate Cloud SSO admin.

 

Scope

 

FortiGatev 7.0, v7.2, v7.4; FortiCloud free subscription.

 

Solution

FortiCloud SSO admin is a new feature added on v7.0.4 and is configurable following the document below:
FortiGate administrator log in using FortiCloud single sign-on

 

According to this new feature, a new table value was added under the admin settings:


config system sso-forticloud-admin
   edit <user>
     set vdom “”
     next
    end

end

 

Therefore, every FortiCloud SSO user who logs into FortiGate is added under such a setting and is viewable through both the GUI and the CLI:

 

mdibaee_0-1698631660524.png

 

The permission of these users is explained as below.

  • On v7.0.12, the permissions are set by the FortiCloud with the master account having the super-admin profile by default.
  • On v7.2 and higher, the permission either can be set to inherit from FortiCloud or to Specify locally.


mdibaee_1-1698631660526.png

 

For more IAM user management documentation, refer to the document below:

IAM users

 

The way FortiOS handles access through FortiGate Cloud is different.

 

On v7.0.12, there are no value tables for regular users or IAM users who access the FortiGate through the FortiGate Cloud portal.

When FortiGate logs, statistics, or management plane (paid FortiCloud subscription) are accessed through FortiGate Cloud, if the unit central management is set to FortiGate Cloud, that user’s credentials are used to make API calls to the FortiGate through the FGFM management tunnel.

 

For this API call, a new user (different for each credential) is automatically created as a read-only admin user under the 'config system sso-forticloud-admin'.

 

config system sso-forticloud-admin
  edit masteraccount@email.com
    set vdom "root"
    next
  edit <IAM username>
    set vdom “root”
    next
end

This configuration change is only visible on the CLI and is not logged. These automatic users have read-only access by default and they cannot have otherwise when using the free subscription of FortiCloud.

For the IAM users to be added to this list, they need to have enough permission on FortiCloud to be able to access the FortiGate Cloud interface.

 

On v7.2 and higher, a new value table is added to the FortiGate OS to account for the FortiGate Cloud access separately. This new value table is called sso-fortigate-cloud-admin.

config system sso-fortigate-cloud-admin
   edit masteraccount@email.com
      set vdom "root"
      next
   edit "<IAM username>"
      set vdom "root"
      next
end

 

In addition, there is also a new section added under the Web User Interface to indicate them further.

 

mdibaee_2-1698631660529.png

 

Related articles:

Technical Note: FortiGate Cloud Frequently Asked Questions
Technical Tip: Configure Fortigate Cloud in Security Fabric

371
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.