Fortinet black logo

Cookbook

Zero touch provisioning with FortiDeploy

Copy Link
Copy Doc ID 4e2e9371-e0d6-11ea-96b9-00505692583a:316039
Download PDF

Zero touch provisioning with FortiDeploy

You can use this feature only when the FortiGate boots up from factory reset.

Topology

FortiGate zero touch provisioning workflow

  1. Add the FortiGate Cloud product key to the FortiGate Cloud portal so that the FortiGate serial number appears in the portal.

  2. Set up a configuration template with the basic configuration in the FortiGate Cloud portal.
  3. Deploy the FortiGate to FortiGate Cloud with that template.

  4. Ensure the FortiGate has an interface in default DHCP client mode and is connected to the ISP outlet.
  5. Boot the FortiGate in factory reset. The FortiGate gets the DHCP lease so that it can access FortiGate Cloud in the Internet and join FortiGate Cloud.
    Initializing firewall...
    System is starting...
    
    FortiGate-201E login: admin
    Password:
    Welcome !
    FortiGate-201E # 
    
    FortiGate-201E # diagnose debug cli 7
    Debug messages will be on for 30 minutes.
    FortiGate-201E # 0: config system fortiguard
    0: set service-account-id "jxue@fortinet.com"
    0: end
    0: config log fortiguard setting
    0: set status enable
    0: end
    FortiGate-201E # diagnose test application forticldd 1
    System=FGT Platform=FG201E
    Management vdom: root, id=0,  ha=master.
    acct_id=jxue@fortinet.com
    acct_st=OK
    FortiGuard log: status=enabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0
    Centra Management: type=FGD, flags=000000bf.
    active-tasks=0

    The FortiGate Cloud server checks that the FortiGate key is valid and then deploys the FortiGate to FortiGate Cloud.

    To prevent spoofing, FortiGate Cloud invalidates that key after a successful join.

  6. Complete zero touch provisioning by obtaining configuration from platform template in the Cloud.
    0:     set admintimeout 50
    0: end
    0: config system interface
    0:     edit "wan1"
    0:         set allowaccess ping ssh fgfm
    0:     next
    0:     edit "port1"
    0:         set allowaccess ping
    0:         set ip 1.1.1.1 255.255.255.0
    0:     next
    0:     edit "port2"
    0:         set allowaccess ping
    0:         set ip 2.2.2.2 255.255.255.0
    0:     next
    0: end
  7. The FortiGate Cloud admin can change the template for different configuration requirements and then deploy the updated template to the FortiGate.

    For example, you can add a secondary DNS to the template and deploy it to FortiGate.

Zero touch provisioning with FortiDeploy

You can use this feature only when the FortiGate boots up from factory reset.

Topology

FortiGate zero touch provisioning workflow

  1. Add the FortiGate Cloud product key to the FortiGate Cloud portal so that the FortiGate serial number appears in the portal.

  2. Set up a configuration template with the basic configuration in the FortiGate Cloud portal.
  3. Deploy the FortiGate to FortiGate Cloud with that template.

  4. Ensure the FortiGate has an interface in default DHCP client mode and is connected to the ISP outlet.
  5. Boot the FortiGate in factory reset. The FortiGate gets the DHCP lease so that it can access FortiGate Cloud in the Internet and join FortiGate Cloud.
    Initializing firewall...
    System is starting...
    
    FortiGate-201E login: admin
    Password:
    Welcome !
    FortiGate-201E # 
    
    FortiGate-201E # diagnose debug cli 7
    Debug messages will be on for 30 minutes.
    FortiGate-201E # 0: config system fortiguard
    0: set service-account-id "jxue@fortinet.com"
    0: end
    0: config log fortiguard setting
    0: set status enable
    0: end
    FortiGate-201E # diagnose test application forticldd 1
    System=FGT Platform=FG201E
    Management vdom: root, id=0,  ha=master.
    acct_id=jxue@fortinet.com
    acct_st=OK
    FortiGuard log: status=enabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0
    Centra Management: type=FGD, flags=000000bf.
    active-tasks=0

    The FortiGate Cloud server checks that the FortiGate key is valid and then deploys the FortiGate to FortiGate Cloud.

    To prevent spoofing, FortiGate Cloud invalidates that key after a successful join.

  6. Complete zero touch provisioning by obtaining configuration from platform template in the Cloud.
    0:     set admintimeout 50
    0: end
    0: config system interface
    0:     edit "wan1"
    0:         set allowaccess ping ssh fgfm
    0:     next
    0:     edit "port1"
    0:         set allowaccess ping
    0:         set ip 1.1.1.1 255.255.255.0
    0:     next
    0:     edit "port2"
    0:         set allowaccess ping
    0:         set ip 2.2.2.2 255.255.255.0
    0:     next
    0: end
  7. The FortiGate Cloud admin can change the template for different configuration requirements and then deploy the updated template to the FortiGate.

    For example, you can add a secondary DNS to the template and deploy it to FortiGate.