This article describes how IAM users are added under FortiGate configuration as either FortiCloud SSO admin or FortiGate Cloud SSO admin.
FortiGatev 7.0, v7.2, v7.4; FortiCloud free subscription.
FortiCloud SSO admin is a new feature added on v7.0.4 and is configurable following the document below:
FortiGate administrator log in using FortiCloud single sign-on
According to this new feature, a new table value was added under the admin settings:
config system sso-forticloud-admin
edit <user>
set vdom “”
next
end
end
Therefore, every FortiCloud SSO user who logs into FortiGate is added under such a setting and is viewable through both the GUI and the CLI:
The permission of these users is explained as below.
For more IAM user management documentation, refer to the document below:
The way FortiOS handles access through FortiGate Cloud is different.
On v7.0.12, there are no value tables for regular users or IAM users who access the FortiGate through the FortiGate Cloud portal.
When FortiGate logs, statistics, or management plane (paid FortiCloud subscription) are accessed through FortiGate Cloud, if the unit central management is set to FortiGate Cloud, that user’s credentials are used to make API calls to the FortiGate through the FGFM management tunnel.
For this API call, a new user (different for each credential) is automatically created as a read-only admin user under the 'config system sso-forticloud-admin'.
config system sso-forticloud-admin
edit masteraccount@email.com
set vdom "root"
next
edit <IAM username>
set vdom “root”
next
end
This configuration change is only visible on the CLI and is not logged. These automatic users have read-only access by default and they cannot have otherwise when using the free subscription of FortiCloud.
For the IAM users to be added to this list, they need to have enough permission on FortiCloud to be able to access the FortiGate Cloud interface.
On v7.2 and higher, a new value table is added to the FortiGate OS to account for the FortiGate Cloud access separately. This new value table is called sso-fortigate-cloud-admin.
config system sso-fortigate-cloud-admin
edit masteraccount@email.com
set vdom "root"
next
edit "<IAM username>"
set vdom "root"
next
end
In addition, there is also a new section added under the Web User Interface to indicate them further.
Related articles:
Technical Note: FortiGate Cloud Frequently Asked Questions
Technical Tip: Configure Fortigate Cloud in Security Fabric
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.