Fortinet black logo

SD-Branch Retail Playbook

Home FortiGate / FortiOS 6.4.0 SD-Branch Retail Playbook
6.4.0
6.4.0

Zero Touch Provisioning

Zero Touch Provisioning

To streamline the workflow for provisioning SD-Branches, the FortiManager orchestration solution can be integrated with 3rd party services to cover the full end to end deployment.

The example below illustrates the steps involved using ServiceNow, Ansible Tower, and Infoblox. Other vendors and services can also be used.

Service Portal

The ServiceNow interface in our example allows a site manager to request the provisioning of a new site or upgrade to their existing site. The manager provides information such as the size, location, and connection type for the branch. The system is then able to determine a Bill of Materials of all the devices that are necessary for the deployment.

After approvals, new tasks are generated for different teams to procure the equipment, services and connections. Equipment is then shipped to the provisioning engineer, who enters the Serial Number of the devices into the system for further configuration preparations.

Configuration Automation

In our example, the serial number of the devices are passed from ServiceNow to Ansible Tower, which allocates an IP subnet block from an IP Address Management service such as Infoblox. The Ansible Playbook feeds these variables to the FortiManager and initiates the device configurations on the FortiManager. This may include triggering the creation of VPN overlays, routing, policies and SD-WAN rules as defined in the SD-WAN Orchestration chapter. As well, the FortiSwitch and FortiAP for the branch are also provisioned on the FortiManager.

To learn more about FortiManager automation configurations through Ansible or Terraform, visit the links below:

Physical Installation

The provisioning engineer may schedule and install the devices at the branch as soon as the Configuration Automation has been completed. This involves making the physical connection as outlined below.

Once connected to the Internet, the FortiGate initiates a connection to the FortiManager to trigger a configuration sync. This may require a one-step manual configuration of the FortiManager IP, or other means. The site is now provisioned, and post installation checks are triggered to conclude the site deployment.

Resources

To learn how Zero Touch Provisioning works on the FortiManager, visit the following links:

Topic

Description

Adding a FortiGate by Pre-shared Key

Learn how to add a FortiGate model by using the pre-shared key for FortiGate.

Adding a FortiGate by Serial Number

Learn how to add a FortiGate model device to FortiManager by using the serial number for the FortiGate.

Zero touch Provisioning with FortiManager - DHCP method

Use the CLI to configure a DHCP server with option 240, or spoof a DHCP server with a fake FortiManager IP.

Zero touch Provisioning with FortiDeploy

Review the FortiGate zero touch provisioning workflow.

Zero touch deployment for FortiSwitch

Learn how model devices used for ZTP can also be linked to model FortiSwitches, enabling provisioning of switch settings when first connected.

Zero touch deployment for FortiAP

Learn how model devices used for ZTP can also be linked to model FortiAPs, enabling provisioning of switch settings when first connected.

Zero touch firmware rectification

Learn how a target firmware version can be associated with model devices, forcing the mapped device (serial number) to upgrade when first connected.

Zero touch provisioning - CLI Template with Variables

Learn how to define a CLI template using variables, and to assign those variable definition per-device.

Previous
Next

Zero Touch Provisioning

To streamline the workflow for provisioning SD-Branches, the FortiManager orchestration solution can be integrated with 3rd party services to cover the full end to end deployment.

The example below illustrates the steps involved using ServiceNow, Ansible Tower, and Infoblox. Other vendors and services can also be used.

Service Portal

The ServiceNow interface in our example allows a site manager to request the provisioning of a new site or upgrade to their existing site. The manager provides information such as the size, location, and connection type for the branch. The system is then able to determine a Bill of Materials of all the devices that are necessary for the deployment.

After approvals, new tasks are generated for different teams to procure the equipment, services and connections. Equipment is then shipped to the provisioning engineer, who enters the Serial Number of the devices into the system for further configuration preparations.

Configuration Automation

In our example, the serial number of the devices are passed from ServiceNow to Ansible Tower, which allocates an IP subnet block from an IP Address Management service such as Infoblox. The Ansible Playbook feeds these variables to the FortiManager and initiates the device configurations on the FortiManager. This may include triggering the creation of VPN overlays, routing, policies and SD-WAN rules as defined in the SD-WAN Orchestration chapter. As well, the FortiSwitch and FortiAP for the branch are also provisioned on the FortiManager.

To learn more about FortiManager automation configurations through Ansible or Terraform, visit the links below:

Physical Installation

The provisioning engineer may schedule and install the devices at the branch as soon as the Configuration Automation has been completed. This involves making the physical connection as outlined below.

Once connected to the Internet, the FortiGate initiates a connection to the FortiManager to trigger a configuration sync. This may require a one-step manual configuration of the FortiManager IP, or other means. The site is now provisioned, and post installation checks are triggered to conclude the site deployment.

Resources

To learn how Zero Touch Provisioning works on the FortiManager, visit the following links:

Topic

Description

Adding a FortiGate by Pre-shared Key

Learn how to add a FortiGate model by using the pre-shared key for FortiGate.

Adding a FortiGate by Serial Number

Learn how to add a FortiGate model device to FortiManager by using the serial number for the FortiGate.

Zero touch Provisioning with FortiManager - DHCP method

Use the CLI to configure a DHCP server with option 240, or spoof a DHCP server with a fake FortiManager IP.

Zero touch Provisioning with FortiDeploy

Review the FortiGate zero touch provisioning workflow.

Zero touch deployment for FortiSwitch

Learn how model devices used for ZTP can also be linked to model FortiSwitches, enabling provisioning of switch settings when first connected.

Zero touch deployment for FortiAP

Learn how model devices used for ZTP can also be linked to model FortiAPs, enabling provisioning of switch settings when first connected.

Zero touch firmware rectification

Learn how a target firmware version can be associated with model devices, forcing the mapped device (serial number) to upgrade when first connected.

Zero touch provisioning - CLI Template with Variables

Learn how to define a CLI template using variables, and to assign those variable definition per-device.

Previous
Next