Zero(ish) Touch Provisioning – Configuring the FortiManager

In a previous blog article, I provided a high level overview of the “Zero Touch Provisioning” process for configuring the FortiGate from the FortiManager. In this article, I will dive into some of the details around configuring the FortiManager in preparation of automatically configuring a FortiGate upon initial heartbeat from the FortiGate.

Add Model Device

The cornerstone of zero touch provisioning is facilitated via the “add model device” functionality on the FortiManager. Through the creation of this object, the FortiManager can match based on the “serial number” or via a “pre-shared key” if the serial number is unknown at the time. After creating this object, the administrator is able to create a configuration to associate with that model. Once the configuration has been associated with the device, the FortiManager can automatically apply the configuration once the FortiGate connects.

Serial Number

This method is commonly used when the exact FortiGate to deployed at a particular site is known. As part of the definition of the “model device” for the FortiGate, the administrator specifies the serial number of the FortiGate. Follow the procedure below to add a FortiGate via its serial number:

1.Log into the FortiManager WebGUI

2. Click on “Device Manager”

3. Under the “Device Manager” section | Click “Add Device”

4. Click “Add Model Device” | Fill out applicable information | Click “Next”

Please note: The “device model” should populate based on the serial number you specify.

5. Once the “Add Device” dialog has completed | Click “Finish”

6. Confirm that the model device is displayed

Pre-shared Key

This method is commonly used when the exact FortiGate being used for deployment is unknown. A common use case is for deployment of virtualized FortiGates which may have a serial number generated at random. As part of the definition for this model device, the administrator must specify the name, pre-shared key and device model of the FortiGate. Follow the procedure below to add this type of model FortiGate:

1.Follow steps 1 – 3 as referenced above

2.Click “Add Model Device” | Select “Pre-shared Key” | Complete “Name”, “Pre-shared Key”, “Device Model” | Click “Next”

3. Once the “Add Device” dialog has completed | Click “Finish”

Configure FortiGate Configuration

Once the model device has been added to the FortiManager, the administrator can configure the device so that once the FortiGate registers to the FortiManager, it is automatically applied. This configuration can be configured via the following methods:

  1. Configuration via FortiManager GUI
  2. Configuration via FortiManager Scripting
  3. Configuration via import revision

In the following examples, I will use a common configuration task of changing the IP address and DHCP information associated with the “internal” interface.

Configuration via FortiManager GUI

Once the model device has been created, it can be configured via the FortiManager GUI. This method is easiest to implement but slowest when provisioning multiple FortiGates. Follow the procedure below to change the interface configuration via the FortiManager GUI:

1.Under “Device Manager” | Double-click the FortiGate Model device (i.e. My60E-PSK)

2. Under the “My60E-PSK” device | Click “System:Interface”

3. Double-click “internal”

4. Modify the “IP/Netmask” | Update the “DHCP Server” settings | Click “OK”

At the conclusion of this step, you are now ready to add a FortiGate and have the FortiManager automatically assign the configuration.

Configuration via FortiManager Scripting

The FortiManager supports applying scripts to the model device so that the administrator can create re-usable configurations to apply against multiple model devices at the same time. This is useful when you have a common template to apply to multiple FortiGates but may have slight differences. Follow the procedure below to create a script and assign it to a model device:

1.Under the “Device Manager” | Click “Scripts” | Click “Create New”

2. Click “Create New” | Populate the “Script Name”, “Script details” | Click “OK” as shown below:

config system interface
    edit "internal"
        set vdom "root"
        set ip
        set allowaccess ping https ssh http fgfm capwap
        set type hard-switch
        set stp enable
        set role lan
config system dhcp server
    edit 1
        set dns-service default
        set default-gateway
        set netmask
        set interface "internal"
        config ip-range
            edit 1
                set start-ip
                set end-ip

3. Right-Click “change_internal” script | Select “Run Script”

4. Select the model device (i.e. “My60E-PSK”) | Click “Run Now”

5.Confirm that the script ran successfully

At this point, the FortiManager will push the configuration to the FortiGate upon registration.

Configuration via import revision

This final method is useful for if you have taken a backup of the FortiGate or use a third party program to generate the configuration to import in its entirety. Follow the procedure below to apply a configuration to the model device via the “import revision” procedure:

1.Double-click the “model device” (i.e. “My60E-PSK”)

2.Click “System: Dashboard” | Click the “revision history” button

3. Right-click the row with “No entry found” | Click “Import Revision”

4.Click “Browse” | Select the file | Click “Open” | Click “OK”

5.Confirm successful importing of the revision | Click “Close”

At this point, the FortiManager is ready to automatically push the configuration out to the FortiGate upon registration.


No way to automatically update FortiOS firmware as part of the zero-touch process. Policy package has to be manually installed from the FortiManager to bring the device in sync.

In the next article, I will walk through configuring the FortiGate to automatically download the configuration from the FortiManager as part of the zero touch provisioning process.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments