FortiClient multi-tenancy
Multi-tenancy gives administrators the flexibility to deploy a single FortiGate with access to multiple FortiClient EMS servers, or a single FortiClient EMS with multiple tenants. The FortiGate can support up to seven EMS servers in a single VDOM. When multi-VDOM is enabled on the FortiGate, each VDOM can override the global EMS configurations to connect to their own EMS servers.
The override feature requires FortiClient EMS 7.2.1 and later, and FortiGate running FOS 7.4.0 or later. To use override with FortiClient EMS Cloud, a FortiGate must be running FOS 7.4.4 or later. To connect to a FortiClient Cloud instance registered under a FortiCloud sub-OU in the GUI, a FortiGate must be running FOS 7.6.1 or later. |
This functionality can be applied to MSSP (managed security service provider) configurations, and each VDOM has its own FortiClient EMS card for the EMS server or instance.
The following reference table provides a high-level view of single versus multi-tenancy scenarios, depending on the status of the FortiGate (whether VDOM is enabled or disabled) and FortiClient EMS:
FortiGate |
Single FortiClient EMS instance |
Multiple FortiClient EMS instances |
Single FortiClient EMS instance with multi-tenancy |
---|---|---|---|
No VDOM | Single tenant |
Multi-tenancy without override |
Multi-tenancy without override |
VDOM | Global FortiClient EMS multi-tenancy |
Multi-tenancy with override |
Multi-tenancy with override |
These scenarios can further be demonstrated as follows:
-
No VDOM:
-
VDOM:
Basic configurations
In a single VDOM configuration, you can configure multiple EMS servers.
To configure FortiClient EMS servers in a single VDOM set up:
-
Go to Security Fabric > Fabric Connectors.
-
Double-click on the FortiClient EMS card to edit.
-
For each EMS server, click Enabled, and fill in the configurations for that EMS server.
-
Click OK to save the settings.
In a multi-VDOM configuration, first configure the global EMS configurations, then configure override on each VDOM. If a VDOM does not enable override, it will inherit the global configurations.
To configure FortiClient EMS servers in a multi-VDOM set up:
-
In the Global VDOM, go to Security Fabric > Fabric Connectors.
-
Double-click on the FortiClient EMS card to edit.
-
For each EMS server, click Enabled, and fill in the configurations for that EMS server.
-
Click OK to save the settings.
-
Enter a VDOM.
-
From the CLI, edit the following settings:
config endpoint-control settings set override enable end
-
Back in the GUI, go to Security Fabric > Fabric Connectors.
-
Configure each EMS server as needed.
-
Click OK to save.
Advanced configurations
FortiGate supports connecting to a FortiClient Cloud instance registered under a sub-OU in FortiCloud. Furthermore, a FortiGate can override FortiClient Cloud access key setting on a per-VDOM basis. With these enhancements, a FortiGate can support FortiClient Cloud in multi-tenancy scenarios.
This feature includes the following scope and limitations:
|
The FortiClient Cloud access key can be implemented in the cloud-authentication-access-key
parameter in the CLI.
config endpoint-control fctems-override edit 1 set status enable set name <name> set fortinetone-cloud-authentication enable set cloud-authentication-access-key <key> next end
Examples
Example 1: Enabling override on the root VDOM using the CLI
To enable override on the root VDOM in the CLI:
-
Enable override on the required VDOMs:
config endpoint-control settings set override enable end
-
Configure the EMS server on the desired VDOM:
(root) config endpoint-control fctems-override edit 1 set status enable set name "ems140_root" set server "172.16.200.140" set serial-number "FCTEMS8821******" set tenant-id "00000000000000000000000000000000" set capabilities fabric-auth silent-approval websocket websocket-malware push-ca-certs common-tags-api tenant-id single-vdom-connector next edit 2 set name "ems133_root" set server "172.16.200.133" next end
Example 2: Connecting to different FortiClient Cloud instances
In this example, a FortiGate will connect to different FortiClient Cloud instances between the Global EMS connector, root and vdom1.
To connect to different FortiClient Cloud instances in the CLI:
-
Obtain the access by from FortiClient Cloud by going to FortiCloud > FortiClient Cloud.
-
Click Access Key and switch to the FortiGate Access Key tab.
-
Click Create New Key to generate a new key.
-
Repeat this for another FortiClient Cloud instance to be applied to vdom1.
-
On the FortiGate with multi-VDOM enabled, configure the Global EMS connector:
config global config endpoint-control fctems edit 2 set status enable set name "Cloud_EMS_Global" set fortinetone-cloud-authentication enable set serial-number "FCTEMSXXXXXXXXXX" set tenant-id "00000000000000000000000000000000" next end end
-
Switch to and configure the root VDOM:
config vdom edit root config endpoint-control settings set override enable end config endpoint-control fctems-override edit 1 set status enable set name "cloud_ems_root" set fortinetone-cloud-authentication enable set cloud-authentication-access-key "XXXXXXXXXXXXXXXXXXXX" set serial-number "FCTEMSXXXXXXXXXX" set tenant-id "00000000000000000000000000000000" next end next end
-
Repeat the same steps for vdom1:
config vdom edit vdom1 config endpoint-control settings set override enable end config endpoint-control fctems-override edit 1 set status enable set name "cloud_vdom1" set fortinetone-cloud-authentication enable set cloud-authentication-access-key "XXXXXXXXXXXXXXXXXXXX" set serial-number "FCTEMSXXXXXXXXXX" set tenant-id "00000000000000000000000000000000" next end next end
-
From the CLI, run the following commands to troubleshoot.
# diagnose endpoint filter show-large-data yes # diagnose debug application fcnacd -1 # diagnose debug enable
A successful connection will look like the following:
… [ec_ez_worker_base_prep_resolver:382] Outgoing interface index 0 for 1 (cloud_vdom1). [ec_ez_worker_prep_data_url:190] Full URL: https://sf.00000-XXXXXXXXXXXXXXXXXXXX.fortinet-ca2.fortinet.com/api/v1/system/serial_number [ec_ez_worker_base_prep_ssl:429] verify peer method: 3, current ssl_cb: (nil), new ssl_cb: 0x55c1163571b0 [ec_ems_context_submit_work:642] Call submitted successfully. obj-id: 0, desc: REST API to get EMS Serial Number., entry: api/v1/system/serial_number. [__match_server_cert_key:462] verify_peer_method: 3
To connect to different FortiClient Cloud instances in the GUI:
-
Obtain the access by from FortiClient Cloud by going to FortiCloud > FortiClient Cloud.
-
Click Access Key and switch to the FortiGate Access Key tab.
-
Click Create New Key to generate a new key.
-
Repeat this for another FortiClient Cloud instance to be applied to vdom1.
-
On the FortiGate with multi-vdom enabled, go to Global.
-
Go to Security Fabric > Fabric Connectors.
-
Edit the FortiClient EMS connector.
-
Set Status to Enabled.
-
Set Type to FortiClient EMS Cloud.
-
Set Name to Cloud_EMS_Global.
-
Set Connect via to FortiCloud Account.
-
Click OK to save. Verify the certificate when prompted and continue saving the settings.
-
-
Switch to the root vdom.
-
Go to Security Fabric > Fabric Connectors.
-
Edit the FortiClient EMS connector.
-
Set Status to Enabled.
-
Set Type to FortiClient EMS Cloud.
-
Set Name to cloud_ems_root.
-
Set Access key to the key retrieved from FortiClient Cloud.
-
Click OK to save.
-
-
Repeat the same steps above for vdom1.