Adding offline model devices
The following steps describe how to add a new, offline device by using the Add Device wizard and Add Model Device mode for zero-touch provisioning (ZTP).
To confirm that a device model or firmware version is supported by the FortiManager's current firmware version, run the following CLI command: diagnose dvm supported-platforms list |
The Add Model Device mode is intended for new FortiGate deployments, where no pre-existing configuration on the FortiGate must be preserved. The configuration associated with the model device overwrites the configuration of the FortiGate as part of the ZTP process, after FortiManager authorizes the FortiGate and checks the version of the Internet Service database on the FortiGate. See also Model devices.
You can configure a model device to automatically complete authorization with FortiManager.
When configuring a model device to automatically complete authorization with FortiManager, add the model device to FortiManager by using a pre-shared key. When the device connects to FortiManager, run the For FortiOS 5.4.1 or earlier, you must run the |
When adding devices to product-specific ADOMs, you can only add that product type to the ADOM. When adding a non-FortiGate device to the root ADOM, the device will automatically be added to the product-specific ADOM. |
To add a model device:
- If ADOMs are enabled, select the ADOM to which you want to add the device.
- Go to Device Manager > Device & Groups.
- Click Add Device. The Add Device wizard displays.
- Click Add Model Device and enter the following information:
Add Model Device
Device will be added using the chosen model type and other explicitly entered information.
Name
Type a descriptive name for the device. This name is displayed in the Device Name column. Each device must have a unique name; otherwise, the wizard will fail.
Link Device By
The method by which the model device will be linked to the real device. Model devices can be linked by Serial Number or Pre-Shared Key.
The serial number should be used if it is known. A pre-shared key can be used if the serial number is not known when you add the model device to FortiManager.
If using a pre-shared key, the following CLI command needs to be issued from the FortiGate device when it is installed in the field:
execute central-mgmt register-device <fmg-serial-number> <preshared-key>
Serial Number or Pre-Shared Key
Type the device serial number or pre-shared key. This field is mandatory.
If using a pre-shared key, each device must have a unique pre-shared key. You can change the pre-shared key after adding the model device.
Use Device Blueprint
Toggle ON to enable the use of device blueprints.
When a device blueprint is selected, the following configurations are imported from the blueprint and cannot be specified in the Add Device wizard: Enforce Firmware Version, Add to Device Group, Add to Folder, Pre-run CLI Templates, Assign Policy Package, Provisioning Template.
Device Model
Select the device model from the list. If linking by serial number, the serial number must be entered before selecting a device model.
Port Provisioning
Select the number of ports (1-10) to be provisioned for the FortiGate VM during initialization.
This feature uses the
provision_instances_on_vm
script in Device Manager > Provisioning Templates > CLI Templates to configure the selected number of ports on the device. The script is performed while adding the offline model into the Device Manager.This option is only available for FortiGate-VM device models.
Automatically Link to Real Device
Toggle ON to allow the model device to automatically link to the real device.
When enabled, the Auto-link Status of the model device will be displayed as Enabled in FortiManager's Device Manager.
When disabled, the Auto-link Status of the model device will be displayed as Disabled in FortiManager's Device Manager.
You can edit model devices added to FortiManager to enable or disable the Automatically Link to Real Device setting.
Split Switch Ports
Select to enable splitting virtual switch ports.
This feature uses the
split_hardware_switch_ports_40_80_100
orsplit_hardware_switch_ports_60_90
scripts in Device Manager > Provisioning Templates > CLI Templates to configure splitting virtual switch ports on the selected device. The script is performed while adding the offline model into the Device Manager.This option is only available on select hardware device models including FGT 40F/60F/80E/90E/100E/100F.
Enforce Firmware Version
Select the check box to enforce the firmware version. The Firmware Version shows the firmware that will be upgraded or downgraded on the device.
Enforce Device Configuration
Enable to enforce the device configuration.
The Enforce Device Configuration option allows auto-link to push changes on FortiGate management interface during ZTP/LTP. When enabled, this option will provision the configuration to the real device, as is. Misconfiguration of the FortiGate management interface may cause the device to not be able to connect to the FortiManager.
Managed by SD-WAN Manager
Enable this setting when onboarding SD-WAN devices, and the device will automatically be added to the SD-WAN Manager. See SD-WAN Devices.
Add to Device Group
Select the check box to choose a device group.
Add to Folder
Select the check box to choose a folder.
Pre-run CLI Templates
Select the check box to choose pre-run CLI templates. Pre-run CLI templates are run before provisioning templates.
Assign Policy Package
Select the check box and select a policy package from the drop-down to assign a particular policy package to the device.
Provisioning Template
Click to display the Assign Provisioning Templates dialog box. You can select one or more individual provisioning templates, or you can select a template group.
Override Profile Value
Click Override Profile Value to display the interface template and override settings. Overrides must be enabled in the interface template before you can override settings.
Metadata Variables
Edit the metadata variables for the new model device.
Copy Device Dashboard
Select a device to copy custom device dashboards from (optional).
For more information about dashboards in the device database, see Device DB - Dashboard.
- Click Next. The device is created in the FortiManager database.
- Click Finish to exit the wizard.
A device added using the Add Model Device option has similar dashboard options as a device added using the Discover option. As the device is not yet online, some options are not available.
When adding a model device that has been configured with an admin password, you must import the device's existing configuration or set the password in FortiManager before pushing new configuration changes to it for the first time.
If the password is not imported or configured in FortiManager, when auto-push occurs, the installation will fail because the admin password in FortiGate devices cannot be unset without knowing the existing password.
A configuration file must be associated with the model device to enable FortiManager to automatically install the configuration to the matching device when the device connects to FortiManager and is authorized. FortiManager does not retrieve a configuration file from a real device that matches a model device. Use the Import Revision function to associate a configuration file with the model device. See Viewing configuration revision history. |
When FortiManager performs database updates
Following the device auto-link process, FortiManager determines if the following databases must be updated when the configuration is pushed to the managed device. Each database is checked individually for updates.
- Internet service database
- IPS database
- Application Signature database
This check is performed based on the following criteria:
- If there is no Internet Service/IPS/Application Signature database used in the Policy Package, there will be no database update performed.
- If the internet Internet Service/IPS/Application Signature database used in the Policy Package is the same version or an older version than the version on the FortiGate, there will be no database update performed.
- If the internet Internet Service/IPS/Application Signature database used in the Policy Package is newer than the database version on the FortiGate, a database update is performed.