Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Adding offline model devices

The following steps describe how to add a new, offline device by using the Add Device wizard and Add Model Device mode for zero-touch provisioning (ZTP).

To confirm that a device model or firmware version is supported by the FortiManager's current firmware version, run the following CLI command:

diagnose dvm supported-platforms list

The Add Model Device mode is intended for new FortiGate deployments, where no pre-existing configuration on the FortiGate must be preserved. The configuration associated with the model device overwrites the configuration of the FortiGate as part of the ZTP process, after FortiManager authorizes the FortiGate.

You can configure a model device to automatically complete authorization with FortiManager.

When configuring a model device to automatically complete authorization with FortiManager, add the model device to FortiManager by using a pre-shared key. When the device connects to FortiManager, run the execute central-mgmt register-device command from the FortiGate console. The device is automatically authorized, and the configuration of the matched model device is applied.

For FortiOS 5.4.1 or earlier, you must run the execute central-mgmt register-device command.

When adding devices to product-specific ADOMs, you can only add that product type to the ADOM. When adding a non-FortiGate device to the root ADOM, the device will automatically be added to the product-specific ADOM.

To add a model device:
  1. If ADOMs are enabled, select the ADOM to which you want to add the device.
  2. Go to Device Manager > Device & Groups.
  3. Click Add Device. The Add Device wizard displays.

  4. Click Add Model Device and enter the following information:

    Add Model Device

    Device will be added using the chosen model type and other explicitly entered information.

    Name

    Type a descriptive name for the device. This name is displayed in the Device Name column. Each device must have a unique name, otherwise the wizard will fail.

    Link Device By

    The method by which the device will be added, either Serial Number or Pre-Shared Key.

    The serial number should be used if it is known. A pre-shared key can be used if the serial number is not known when the model device is added.

    If using a pre-shared key, the following CLI command needs to be issued from the FortiGate device when it is installed in the field:

    execute central-mgmt register-device <fmg-serial-number> <preshared-key>

    Serial Number or Pre-Shared Key

    Type the device serial number or pre-shared key. This field is mandatory.

    If using a pre-shared key, each device must have a unique pre-shared key. You can change the pre-shared key after adding the model device. See Editing device information.

    Device Model

    Select the device model from the list. If linking by serial number, the serial number must be entered before selecting a device model.

    Enforce Firmware Version

    Select the check box to enforce the firmware version. The Firmware Version shows the firmware that will be upgraded or downgraded on the device.

    Add to Device Group

    Select the check box to choose a device group.

    Add to Folder

    Select the check box to choose a folder.

    Assign Policy Package

    Select the check box and select a policy package from the drop-down to assign a particular policy package to the device.

    Assign Provisioning Template

    Select the check box and select a system template.

    Override Profile Value

    Click Override Profile Value to display the interface template and override settings. Overrides must be enabled in the interface template before you can override settings.

    Assign IPsec Template

    Select the check box and select an IPsec template.

  5. Click Next. The device is created in the FortiManager database.
  6. Click Finish to exit the wizard.

    A device added using the Add Model Device option has similar dashboard options as a device added using the Discover option. As the device is not yet online, some options are not available.

    Note

    When adding a model device that has been configured with an admin password, you must import the device's existing configuration or set the password in FortiManager before pushing new configuration changes to it for the first time.

    If the password is not imported or configured in FortiManager, when auto-push occurs, the installation will fail because the admin password in FortiGate devices cannot be unset without knowning the existing password.

note icon

A configuration file must be associated with the model device to enable FortiManager to automatically install the configuration to the matching device when the device connects to FortiManager and is authorized. FortiManager does not retrieve a configuration file from a real device that matches a model device.

Use the Import Revision function to associate a configuration file with the model device. See Viewing configuration revision history.

Adding offline model devices

The following steps describe how to add a new, offline device by using the Add Device wizard and Add Model Device mode for zero-touch provisioning (ZTP).

To confirm that a device model or firmware version is supported by the FortiManager's current firmware version, run the following CLI command:

diagnose dvm supported-platforms list

The Add Model Device mode is intended for new FortiGate deployments, where no pre-existing configuration on the FortiGate must be preserved. The configuration associated with the model device overwrites the configuration of the FortiGate as part of the ZTP process, after FortiManager authorizes the FortiGate.

You can configure a model device to automatically complete authorization with FortiManager.

When configuring a model device to automatically complete authorization with FortiManager, add the model device to FortiManager by using a pre-shared key. When the device connects to FortiManager, run the execute central-mgmt register-device command from the FortiGate console. The device is automatically authorized, and the configuration of the matched model device is applied.

For FortiOS 5.4.1 or earlier, you must run the execute central-mgmt register-device command.

When adding devices to product-specific ADOMs, you can only add that product type to the ADOM. When adding a non-FortiGate device to the root ADOM, the device will automatically be added to the product-specific ADOM.

To add a model device:
  1. If ADOMs are enabled, select the ADOM to which you want to add the device.
  2. Go to Device Manager > Device & Groups.
  3. Click Add Device. The Add Device wizard displays.

  4. Click Add Model Device and enter the following information:

    Add Model Device

    Device will be added using the chosen model type and other explicitly entered information.

    Name

    Type a descriptive name for the device. This name is displayed in the Device Name column. Each device must have a unique name, otherwise the wizard will fail.

    Link Device By

    The method by which the device will be added, either Serial Number or Pre-Shared Key.

    The serial number should be used if it is known. A pre-shared key can be used if the serial number is not known when the model device is added.

    If using a pre-shared key, the following CLI command needs to be issued from the FortiGate device when it is installed in the field:

    execute central-mgmt register-device <fmg-serial-number> <preshared-key>

    Serial Number or Pre-Shared Key

    Type the device serial number or pre-shared key. This field is mandatory.

    If using a pre-shared key, each device must have a unique pre-shared key. You can change the pre-shared key after adding the model device. See Editing device information.

    Device Model

    Select the device model from the list. If linking by serial number, the serial number must be entered before selecting a device model.

    Enforce Firmware Version

    Select the check box to enforce the firmware version. The Firmware Version shows the firmware that will be upgraded or downgraded on the device.

    Add to Device Group

    Select the check box to choose a device group.

    Add to Folder

    Select the check box to choose a folder.

    Assign Policy Package

    Select the check box and select a policy package from the drop-down to assign a particular policy package to the device.

    Assign Provisioning Template

    Select the check box and select a system template.

    Override Profile Value

    Click Override Profile Value to display the interface template and override settings. Overrides must be enabled in the interface template before you can override settings.

    Assign IPsec Template

    Select the check box and select an IPsec template.

  5. Click Next. The device is created in the FortiManager database.
  6. Click Finish to exit the wizard.

    A device added using the Add Model Device option has similar dashboard options as a device added using the Discover option. As the device is not yet online, some options are not available.

    Note

    When adding a model device that has been configured with an admin password, you must import the device's existing configuration or set the password in FortiManager before pushing new configuration changes to it for the first time.

    If the password is not imported or configured in FortiManager, when auto-push occurs, the installation will fail because the admin password in FortiGate devices cannot be unset without knowning the existing password.

note icon

A configuration file must be associated with the model device to enable FortiManager to automatically install the configuration to the matching device when the device connects to FortiManager and is authorized. FortiManager does not retrieve a configuration file from a real device that matches a model device.

Use the Import Revision function to associate a configuration file with the model device. See Viewing configuration revision history.