Fortinet black logo

Cookbook

Zero touch provisioning with FortiManager

Copy Link
Copy Doc ID 664e9f16-22ad-11eb-96b9-00505692583a:861490
Download PDF

Zero touch provisioning with FortiManager

You can use this feature only when the FortiGate boots up from factory reset. This feature is for FortiGate devices that cannot access the Internet.

A DHCP server includes option 240 and 241 which records FortiManager IP and domain name. FortiGate has an interface with the default DHCP client mode that is connected to the DHCP server in the intranet.

The FortiManager admin can authorize the FortiGate the specific ADOMs and install specific configurations on the FortiGate.

In the whole operation, you do not need to do any manual configuration on the FortiGate except connect to the DHCP server. This is called zero touch deployment.

To prevent spoofing, if a different FortiManager IP comes from the DHCP server later, FortiGate does not change the central management configuration.

Example of configuring DHCP server with option 240

config system dhcp server
    edit 2
        set dns-service default
        set default-gateway 172.16.200.254
        set netmask 255.255.255.0
        set interface "wan1"
        config ip-range
            edit 2
                set start-ip 172.16.200.201
                set end-ip 172.16.200.209
            next
        end
        set timezone-option default
        config options
            edit 1
                set code 240
                set type ip
                set ip "172.18.60.115"
            next
        end
    next
end

FortiGate zero touch provisioning workflow

  1. Boot the FortiGate in factory reset.
    G201E4Q17901047 # diagnose fdsm fmg-auto-discovery-status
    dhcp: fmg-ip=0.0.0.0, fmg-domain-name='', config-touched=0

    config-touched=0 means no configuration change from the default.

  2. When FortiGate boots in factory reset, it gets the DHCP lease including IP, gateway, DNS, and the FortiManager IP/URL. Central management is automatically configured by using FortiManager IP in option 240.
    FG201E4Q17901047 # show system central-management
    config system central-management
        set type fortimanager
        set fmg "172.18.60.115"
    end
  3. If FortiGate changes from factory reset, you can see it in central management in config-touched=1.
    FG201E4Q17901047 # diagnose fdsm fmg-auto-discovery-status
    dhcp: fmg-ip=172.18.60.115, fmg-domain-name='', config-touched=1(/bin/dhcpcd)

Example of a spoofing DHCP server with a fake FortiManager IP

config options
    edit 1
        set code 240
        set type ip
        set ip "172.18.60.117"
    end

After FortiGate reboots and gets DHCP renew, central management will not use the fake FortiManager IP because config-touched=1 shows that the FortiGate is not in factory reset.

FG201E4Q17901047 # diagnose fdsm fmg-auto-discovery-status
dhcp: fmg-ip=0.0.0.0, fmg-domain-name='', config-touched=1(/bin/dhcpcd)

FG201E4Q17901047 # show system central-management
config system central-management
    set type fortimanager
    set fmg "172.18.60.115"
end

Zero touch provisioning with FortiManager

You can use this feature only when the FortiGate boots up from factory reset. This feature is for FortiGate devices that cannot access the Internet.

A DHCP server includes option 240 and 241 which records FortiManager IP and domain name. FortiGate has an interface with the default DHCP client mode that is connected to the DHCP server in the intranet.

The FortiManager admin can authorize the FortiGate the specific ADOMs and install specific configurations on the FortiGate.

In the whole operation, you do not need to do any manual configuration on the FortiGate except connect to the DHCP server. This is called zero touch deployment.

To prevent spoofing, if a different FortiManager IP comes from the DHCP server later, FortiGate does not change the central management configuration.

Example of configuring DHCP server with option 240

config system dhcp server
    edit 2
        set dns-service default
        set default-gateway 172.16.200.254
        set netmask 255.255.255.0
        set interface "wan1"
        config ip-range
            edit 2
                set start-ip 172.16.200.201
                set end-ip 172.16.200.209
            next
        end
        set timezone-option default
        config options
            edit 1
                set code 240
                set type ip
                set ip "172.18.60.115"
            next
        end
    next
end

FortiGate zero touch provisioning workflow

  1. Boot the FortiGate in factory reset.
    G201E4Q17901047 # diagnose fdsm fmg-auto-discovery-status
    dhcp: fmg-ip=0.0.0.0, fmg-domain-name='', config-touched=0

    config-touched=0 means no configuration change from the default.

  2. When FortiGate boots in factory reset, it gets the DHCP lease including IP, gateway, DNS, and the FortiManager IP/URL. Central management is automatically configured by using FortiManager IP in option 240.
    FG201E4Q17901047 # show system central-management
    config system central-management
        set type fortimanager
        set fmg "172.18.60.115"
    end
  3. If FortiGate changes from factory reset, you can see it in central management in config-touched=1.
    FG201E4Q17901047 # diagnose fdsm fmg-auto-discovery-status
    dhcp: fmg-ip=172.18.60.115, fmg-domain-name='', config-touched=1(/bin/dhcpcd)

Example of a spoofing DHCP server with a fake FortiManager IP

config options
    edit 1
        set code 240
        set type ip
        set ip "172.18.60.117"
    end

After FortiGate reboots and gets DHCP renew, central management will not use the fake FortiManager IP because config-touched=1 shows that the FortiGate is not in factory reset.

FG201E4Q17901047 # diagnose fdsm fmg-auto-discovery-status
dhcp: fmg-ip=0.0.0.0, fmg-domain-name='', config-touched=1(/bin/dhcpcd)

FG201E4Q17901047 # show system central-management
config system central-management
    set type fortimanager
    set fmg "172.18.60.115"
end