Fortinet black logo

SD-WAN / SD-Branch Architecture for MSSPs

Home FortiGate / FortiOS 7.2.0 SD-WAN / SD-Branch Architecture for MSSPs
7.2.0
7.2.0
7.0.0
6.4.0

Zero-touch and low-touch provisioning

Zero-touch and low-touch provisioning

Recall from the previous section that, once the real FortiGate device connects to the FortiManager, a process called Auto-Link takes place. During this process:

  1. The device establishes a secure management tunnel to the FortiManager and authenticates itself, using either its Serial Number (S/N) or a Pre-Shared Key (PSK).

  2. This allows the FortiManager to link the real device to its corresponding Model Device, created on the FortiManager at an earlier stage.

  3. Optionally, the FortiManager instructs the real device to upgrade its firmware to guarantee compatibility with the target configuration. If this option is used, FortiManager sends the firmware image to the real device.

  4. The Model Device is then converted into a real device, and the entire configuration is pushed to the real device through the management tunnel.

The remaining question is, therefore, how a real FortiGate device can discover the FortiManager to which it must connect. The answer to this question depends on the chosen onboarding method:

Note

It is important to understand that the Auto-Link process remains the same in all the onboarding methods described in this section. In other words, once the Auto-Link process starts, it no longer matters how the device has found its FortiManager. This allows us to mix different onboarding methods within the same project, without altering the overall deployment workflow.
Previous
Next

Zero-touch and low-touch provisioning

Recall from the previous section that, once the real FortiGate device connects to the FortiManager, a process called Auto-Link takes place. During this process:

  1. The device establishes a secure management tunnel to the FortiManager and authenticates itself, using either its Serial Number (S/N) or a Pre-Shared Key (PSK).

  2. This allows the FortiManager to link the real device to its corresponding Model Device, created on the FortiManager at an earlier stage.

  3. Optionally, the FortiManager instructs the real device to upgrade its firmware to guarantee compatibility with the target configuration. If this option is used, FortiManager sends the firmware image to the real device.

  4. The Model Device is then converted into a real device, and the entire configuration is pushed to the real device through the management tunnel.

The remaining question is, therefore, how a real FortiGate device can discover the FortiManager to which it must connect. The answer to this question depends on the chosen onboarding method:

Note

It is important to understand that the Auto-Link process remains the same in all the onboarding methods described in this section. In other words, once the Auto-Link process starts, it no longer matters how the device has found its FortiManager. This allows us to mix different onboarding methods within the same project, without altering the overall deployment workflow.
Previous
Next