How To Enable Google Cloud Platform Service

Google Deject Platform

FortiCWP offers an API-based arroyo, pulling information directly from Google Deject via a RESTful API. FortiCWP uses your service account credentials for API queries.

Prerequisites

To use FortiCWP with Google Cloud Platform, y'all must have a G Suite account, service account, and the JSON individual key associated with the service account. The service account must have "G Suite Domain-broad Delegation" enabled and Project Owner/Organization Administrator roles for monitoring.

Steps to setup Google Deject with FortiCWP

• Configure Thou Suite Account
• Configure Service Account
• Enable required APIs
• Enable activity and alert monitoring
• Installation

Your One thousand Suite business relationship tin be either an existing business relationship or a new account. If you take just created a new business relationship, you lot must expect for at least 24 hours for the account to take effect before granting it access to FortiCWP. The Thousand Suite business relationship to which you connect from inside FortiCWP must have the Super Admin role in your G Suite account.

Configure G Suite Account

Use the following steps to check if your account has the Super Admin role:

1. Become to https://admin.google.com/ and log in with your Google Suite account credentials.
2. In the upper-left corner, click the navigation menu , and select Directory>Users.
3. Click on user account of interest.



4. Roll down to the Admin roles and privileges department, click the describe-downward push.



5. In the Roles department, make sure that the Super Admin office has been assigned. Otherwise, hover over the Roles section, click the Edit icon, and select Super Admin in the pop-up window.

Configure Service Account

For your service account, you may either use an existing or new account.

New Service Account Cosmos

1. Go to https://console.developers.google.com and log in with your Google Suite account.
2. Click on the drop-down menu > Select a projection.



3. Select an existing project you desire to monitor or Create a New Project by clicking New Project.



4. Click the Navigation Menu on the summit left corner, become to IAM & admin > Service accounts.



5. Click +Create service account button.
6. Enter a Service business relationship proper name of your preference and click create. Service business relationship ID will populate automatically.

Keep the service account ID for later during Google cloud authentication during installation.

7. Click Continue when prompted for inbound service account permissions.
8. Click on +Create Key and select JSON to create a private key. The JSON private key will exist downloaded automatically, and then click Done

Keep the JSON cardinal subsequently for Google cloud authentication during installation.

9. Once service account is created, select the service business relationship created and click on nether Actions icon >Edit.



10. Enable G Suite Domain-broad Delegation.

Using Existing Service Business relationship

1. Select the project that contains the service account to be used.
2. 
3. Click the Navigation Menu in the upper-left corner of the folio, and select IAM & Admin > Service Accounts.

Notation:Make sure Domain-wide delegation is enabled. If non, click on Actions icon > Edit to enable it.



4. If you lot don't have a JSON individual key, then click Actions icon > Edit , and select +Create Key.
5. Select JSON in the Fundamental type field, and click CREATE.The JSON private cardinal will automatically downloaded.

Notation: Be certain to go on this key and your service business relationship ID for use later during Google cloud hallmark.

Once your service business relationship is ready, yous must grant it API access to the G Suite API.

Grant Service Account API Admission

1. Click the Navigation Carte du jour in the upper-left corner of the page, and and then select IAM & admin > Service Accounts.
2. In the Domain-wide delegation cavalcade, click View Client ID.
3. In the popular-up window, save the client ID for step seven.
4. Go to https://admin.google.com and log into the same Google account.
5. Scroll down and click on More Controls > Security.



6. In Security, scroll down and select Advanced Settings.
7. Click Manage API client access.



8. In the Client Name field, enter the Customer ID saved in Step 3. Your Client ID must be a cord of numbers.
9. In the One or More API Scopes field, enter:

"https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.reports.inspect.readonly".

After getting your service account ID and JSON private cardinal, grant the service account with Possessor and Organisation Administrator function for the projects to be monitored.

Grant Service Business relationship Owner Office

1. Select the project to be monitored.
2. Click the Navigation Carte on the upper-left corner, select IAM & admin > IAM.
3. Click the Add together button on the superlative.



4. In the New Members field, enter the service account ID you want to utilize.
5. In the Select a role field, select Project > Owner.
6. Click the Save push button.
7. Repeat the steps higher up for all the projects to be monitored.

Additionally, on the same service business relationship, grant Organization Ambassador.

Grant service account System Administrator part

1. Select the project to exist monitored.
2. Click the Navigation Carte on the upper-left corner, select IAM & admin > IAM.
3. Click the ADD push button on the top.
4. In the New members field, enter the service account ID you want to use.
5. In the Select a role field, select Resource Director > Organization Administrator

Note: You can also enter "Organization Administrator" in the filter for fast access.

6. Click the SAVE button.

Enable required APIs

Later adding roles to the service account, you must brand sure that the post-obit APIs are enabled on all projects for monitoring. This will ensure that FortiCWP can get together data from the Google Cloud.

• Deject Resource Director API
• App Engine Admin API
• Cloud Fundamental Direction Service (KMS) API
• Compute Engine API
• Deject SQL
• Google Cloud Storage JSON API
• Google Cloud Storage
• Cloud SQL Admin API
• Stackdriver Logging API
• Admin SDK
• Identity and Admission Management (IAM) API

To enable the APIs, exercise the post-obit:

1. Get to the project to be monitored.
2. Click the Navigation Menu in the upper-left corner, and select APIs & Services>Dashboard.
3. In the Enabled APIs and services list, make sure that the required APIs are listed (enabled).

If whatsoever of the APIs is not enabled, use the below steps to enable it:

1. Become to the projection want to be monitored.
2. Click the Navigation Menu in the upper-left corner, and select APIs & Services > Dashboard.
3. Click the ENABLE APIS AND SERVICES button on the superlative.
4. In the Search for APIs & Services field, enter the name of a required API.
5. From the search results, select the API.
6. Click the ENABLE push.
7. Wait until Google Deject has enabled the API.

Note: While you are enabling an API, a dialog may pop up prompting you to enable billing. If that happens, follow the prompts onscreen to enable billing.

Enable action and alert monitoring

If yous would like to enable FortiCWP activity and alert monitoring, you must turn on audit logging using the following steps:

1. Go to the project to be monitored.
2. Click the Navigation Carte du jour in the upper-left corner, and select IAM & admin>Audit Logs.
3. Select Google Cloud Storage in the list.
4. Enable all log types, i.e., Admin Read, Data Read, and Data Write.



5. Click the SAVE button.

Installation

In one case you have all the prerequisites in place, you tin can starting time installing Google Cloud using the following steps:

1. In the upper right hand corner of the FortiCWP main page, click the setting button or get to Ambassador > Deject Accounts.
2. From the Cloud Accounts page, click add together push button side by side to Google Deject. The Google Cloud Authentication dialog will open.



3. In Google Cloud Authentication dialog, for User Email field, enter your electronic mail accost which you used to create the service account.
4. In Service Business relationship ID field, enter the ID of your service account. Your service account ID should end in ".gserviceaccount.com".
5. Give the Google Deject business relationship an account name on FortiCWP in Account Name field. (optional)
6. For Service Account Individual Key (JSON File), click Cull to browse and upload your service account's private key (i.e., a JSON file), then click OK.
7. Click Add GoogleCloud push button to complete authentication.

You will be redirected dorsum to the FortiCWP dashboard. You can cheque the installation outcome in monitoring status page.

Monitoring Status

After adding the Google Deject accounts, please check for installation status under the Google Deject authentication folio. Here are different status representing the state of Google account installation status:

Cloud Business relationship Status	Description
waiting	Require users to execute changes in settings, then FortiCWP can monitor the installed cloud account. If the installed account is removed, the status is also changed to waiting.
running!	The cloud account is installed but only with partial features, requires users to refer to the check list for detail.
running	The deject business relationship is installed successfully with all the features working.
disabled	The cloud account is disabled, but the historical data is notwithstanding available. It can be enabled again when user enabled the deject account again.

Source: https://help.fortinet.com/fcwp/4-2-0/olh/Content/FortiCWP/User%20Guide/Getting%20Started/Installation/Google_cloud_platform.htm

Posted by: mccoymazintim.blogspot.com

Share this post