Zero-touch provisioning automation

You can use automation stitches on managed switches for zero-touch provisioning. To configure an automation stitch, you specify a trigger and the action that is performed when the trigger occurs.

To use a switch-controller event for zero-touch provisioning:

1. Configure the trigger.

2. Configure the action.

3. Configure the automation stitch.

Configure the trigger

Starting in FortiOS 7.4.4, you can use the following switch-controller events as triggers for zero-touch provisioning:

• Log ID 32618—A switch port was exported to or returned from a virtual switch.

• Log ID 32619—A switch was added to or removed from a virtual port pool.

• Log ID 32620—A switch was added to a switch group.

• Log ID 32621—A switch was removed from a switch group.

• Log ID 32622—A switch was connected using FortiLink mode over a layer-2 or layer-3 network.

• Log ID 32623—The location of a switch changed.

• Log ID 32624—A new switch peer was detected (either a peer to a single switch or an MCLAG).

You can configure multiple fields for the automation trigger when the event-type is event-log and the logid is set. The action is only performed if all conditions are valid (using AND logic). For example, the following automation trigger requires both the log message to include VRRP and the interface to be svi777 before the action is performed.

config system automation-trigger

edit "VRRPlogtrigger"

set event-type event-log

set logid 10229

config fields

edit 1

set name "msg"

set value "*VRRP*"

next

edit 2

set name "interface"

set value "svi777"

next

end

next

end

To configure the trigger:

config system automation-trigger

edit <trigger_name>

set description <string>

set trigger-type event-based

set event-type event-log

set logid <log_ID>

config fields

edit <entry_ID>

set name <string>

set value <string>

next

end

next

end

Variable	Description	Default
<trigger_name>	Name of the trigger configuration.	No default
description	Description of the trigger.	No default
trigger-type	Select the event-based trigger.	event-based
event-type	Select the use of a log ID as the trigger for the automation-stitch action.	event-log
logid <log_ID>	Enter the log ID to trigger the action. The range of values is 1-65535. If you use the full 10-digit entry, the first four digits are truncated.	0
trigger-frequency {daily | hourly | monthly | weekly}	Select whether the automation-stitch action is performed on a daily, hourly, monthly, or weekly basis. This option is available only when the trigger-type is set to scheduled.	daily
config fields	You can configure multiple fields for the automation trigger. The action is only performed if all conditions are valid (using AND logic).
<entry_ID>	Enter an identifier for this entry.	No default
name <string>	Enter a name for this field.	No default
value <string>	Enter a value for this field. Use an asterisk to match any character string of any length, including 0-characters long. For example, use set value "*1567*" to match values of 81567 and 156789. Use square brackets to match one of the multiple characters. For example, use set value "[aA]dmin" to match values of admin and Admin.	No default

Configure the action

You can specify one of the following actions:

• Run a CLI script.

• Send an email message.

• Display an alert in the dashboard.

• Send data to a uniform resource identifier (URI), such as an IP address or URL.

To configure the action:

config system automation-action

edit <name>

set action-type {alert | cli-script | email | webhook}

set accprofile <string>

set email-body <string>

set email-from <string>

set email-subject <string>

set email-to <email_address>

set http-body <request_body>

set method {delete | get | patch | post | put}

set minimum-interval <0-2592000>

set port <1-65535>

set protocol {http | https}

set script <string>

set uri <request_API_URI>

next

end

Variable	Description	Default
<name>	Name of the action configuration.	No default
action-type {alert | cli-script | email | webhook}	Select the type of action to perform: alert—Display an alert in the dashboard. cli-script—Run a CLI script. email—Send a notification email. webhook—Send data to a uniform resource identifier (URI), such as an IP address or URL.	alert
accprofile <string>	Specify the access profile required to run the CLI script. This option is available only when action-type is set to cli-script.	No default
email-body <string>	Enter the body of the email. By default, the log message is sent. This option is available only when action-type is set to email.	%%log%%
email-from <string>	Enter the name of the sender of the email. This option is available only when action-type is set to email.	No default
email-subject <string>	Enter the subject of the email. This option is available only when action-type is set to email.	No default
email-to <email_address>	Enter the email address or addresses that the email will be sent to when automation stitch is triggered. This option is available only when action-type is set to email.	none
http-body <string>	If necessary, enter the request body. Use a serialized JSON string. This option is available only when action-type is set to webhook.	No default
method {delete | get | patch | post | put}	Select the request method: DELETE, GET, PATCH, POST, or PUT. This option is available only when action-type is set to webhook.	post
minimum-interval <0-2592000>	Select how many seconds must pass before the action can be performed again.	0
port <1-65535>	Enter the port number that this protocol will use. If the protocol is set to http, the default port is 80. If the protocol is set to https, the default port is 443. This option is available only when action-type is set to webhook.	80
protocol {http | https}	Enter the request protocol, either HTTP or HTTPS. This option is available only when action-type is set to webhook.	http
script <string>	Specify the name and path to the CLI script. This option is available only when action-type is set to cli-script.	No default
uri <string>	Required. Enter the uniform resource identifier (URI), such as an IP address or URL. This option is available only when action-type is set to webhook.	No default

Configure the automation stitch

To configure the automation stitch:

config system automation-stitch

edit <name>

set description <string>

set status {enable | disable}

set trigger <trigger_name>

config actions

edit <action_ID>

set action <action_name>

set delay <0-3600>

set required {enable | disable}

next

end

next

end

Variable	Description	Default
<name>	Name of the automation-stitch configuration.	No default
description <string>	Enter a description of the automation stitch.	No default
status {enable | disable}	Enable or disable this automation stitch.	enable
trigger <trigger_name>	Enter the name of the trigger for this automation stitch.	No default
<action_ID>	Enter an integer to identify the action.	0
action <action_name>	Enter the name of the action configuration for this automation stitch.	none
delay <0-3600>	Enter the number of seconds to delay before executing the automation stitch.	0
required {enable | disable}	Enable this option if the action is required or disable this option if the action is not required.	disable

Configuration example

In the following example, CLI scripts are used to configure new switches.

config system automation-trigger

edit "SwitchAuthorized.Model.ALL"

set event-type event-log

set logid 32602

next

edit "SwitchAuthorized.Model.S108DV"

set event-type event-log

set logid 32602

config fields

edit 1

set name "sn"

set value "S108DV*"

next

end

next

edit "SwitchAuthorized.Model.FS1E48"

set event-type event-log

set logid 32602

config fields

edit 1

set name "sn"

set value "FS1E48*"

next

end

next

end

config system automation-action

edit "swc.assign.port.vlans"

set action-type cli-script

set script "config switch-controller managed-switch

edit %%log.sn%%

config ports

edit \"port8\"

set vlan \"vlan.20\"

next

end

next

end"

set accprofile "super_admin"

next

edit "swc.add.switch2.group-core"

set action-type cli-script

set script "config switch-controller switch-group

edit \"core\"

append members %%log.sn%%

next

end"

set accprofile "super_admin"

next

edit "swc.setswitch.syslog"

set action-type cli-script

set script "config switch-controller managed-switch

edit %%log.sn%%

config remote-log

edit \"syslogd\"

set status enable

set server \"192.168.0.111\"

next

end

end"

set accprofile "super_admin"

next

edit "swc.add.switch2.group-edge"

set action-type cli-script

set script "config switch-controller switch-group

edit \"edge\"

append members %%log.sn%%

next

end"

set accprofile "super_admin"

next

end

config system automation-stitch

edit "ZT.OnboardNewSwitch.Global"

set trigger "SwitchAuthorized.Model.ALL"

config actions

edit 1

set action "swc.setswitch.syslog"

set required enable

next

end

next

edit "ZT.OnboardNewSwitch.Edge"

set trigger "SwitchAuthorized.Model.S108DV"

config actions

edit 1

set action "swc.assign.port.vlans"

set required enable

next

edit 2

set action "swc.add.switch2.group-edge"

set required enable

next

end

next

edit "ZT.OnboardNewSwitch.Core"

set trigger "SwitchAuthorized.Model.FS1E48"

config actions

edit 2

set action "swc.add.switch2.group-core"

set required enable

next

end

next

end