Zero(ish) Touch Configuration – Linking Configuration via FortiGate CLI

In a previous article I covered configuring the FortiManager to create a model device that can be used to automatically assign a configuration to a FortiGate upon registration. In this article, I will build upon that and explain one of the methods to show how the FortiGate can automatically acquire its configuration from the FortiManager by registration through the CLI.

This method is useful when you are sending a FortiGate (you do not know the serial number of) to a remote site and have non-technical staff to access the firewall. This method is also beneficial for the provisioning of virtual FortiGates (FortiGate-VM) that you may not have the serial number of before creating an instance in your hypervisor. In this case, you can pre-build the configuration for the FortiGate on the FortiManager and tell the staff how to register the FortiGate via the CLI via the procedure below.

Procedure

This method requires the creation of a “model device” using the “Pre-shared Key” as indicated in the following screenshot:

In this case, it is necessary for the “device model” to be specified and it must match the platform that is to be deployed via this method. For details on the full configuration steps of this “Add Device” method, please consult the previous blog article.

Requirements

  1. Ensure the FortiGate firmware version is at the correct version for the FortiManager ADOM
  2. Ensure the FortiGate is in a factory default state

Configuring the FortiGate

Once the FortiGate model device has been created in the FortiManager, you can follow the procedure below to register the FortiGate via its CLI to auto-link the configuration.

1.Log into the FortiGate CLI as an administrative user


2. Via the FortiGate CLI, execute the following commands to register the device to FortiManager

config system central-management
    set type fortimanager
    set fmg <ip address of fortimanager>
end

3. Confirm from the FortiManager that the FortiGate shows up under the “unregistered device”


4. From the FortiGate CLI, execute the following commands to register the FortiGate using the pre-shared key:

execute central-mgmt register-device <fortimanager serial> <pre-shared key>

5. Confirm that the FortiManager starts to push the configuration to the FortiGate


Upon completion of the registration process, you may need to reload the FortiManager Device Manager page in order to see the “synchronized” status of the FortiGate. At this point, the FortiGate has been provisioned with the configuration that was set on the FortiManager.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments