In a previous blog article, I provided a high level overview of the “Zero Touch Provisioning” process for configuring the FortiGate from the FortiManager. In this article, I will dive into some of the details around configuring the FortiManager in preparation of automatically configuring a FortiGate upon initial heartbeat from the FortiGate.
Add Model Device
The cornerstone of zero touch provisioning is facilitated via the “add model device” functionality on the FortiManager. Through the creation of this object, the FortiManager can match based on the “serial number” or via a “pre-shared key” if the serial number is unknown at the time. After creating this object, the administrator is able to create a configuration to associate with that model. Once the configuration has been associated with the device, the FortiManager can automatically apply the configuration once the FortiGate connects.
This method is commonly used when the exact FortiGate to deployed at a particular site is known. As part of the definition of the “model device” for the FortiGate, the administrator specifies the serial number of the FortiGate. Follow the procedure below to add a FortiGate via its serial number:
1.Log into the FortiManager WebGUI
2. Click on “Device Manager”
3. Under the “Device Manager” section | Click “Add Device”
4. Click “Add Model Device” | Fill out applicable information | Click “Next”
Please note: The “device model” should populate based on the serial number you specify.
5. Once the “Add Device” dialog has completed | Click “Finish”
6. Confirm that the model device is displayed
This method is commonly used when the exact FortiGate being used for deployment is unknown. A common use case is for deployment of virtualized FortiGates which may have a serial number generated at random. As part of the definition for this model device, the administrator must specify the name, pre-shared key and device model of the FortiGate. Follow the procedure below to add this type of model FortiGate:
1.Follow steps 1 – 3 as referenced above
2.Click “Add Model Device” | Select “Pre-shared Key” | Complete “Name”, “Pre-shared Key”, “Device Model” | Click “Next”
3. Once the “Add Device” dialog has completed | Click “Finish”
Configure FortiGate Configuration
Once the model device has been added to the FortiManager, the administrator can configure the device so that once the FortiGate registers to the FortiManager, it is automatically applied. This configuration can be configured via the following methods:
- Configuration via FortiManager GUI
- Configuration via FortiManager Scripting
- Configuration via import revision
In the following examples, I will use a common configuration task of changing the IP address and DHCP information associated with the “internal” interface.
Configuration via FortiManager GUI
Once the model device has been created, it can be configured via the FortiManager GUI. This method is easiest to implement but slowest when provisioning multiple FortiGates. Follow the procedure below to change the interface configuration via the FortiManager GUI:
1.Under “Device Manager” | Double-click the FortiGate Model device (i.e. My60E-PSK)
2. Under the “My60E-PSK” device | Click “System:Interface”
3. Double-click “internal”
4. Modify the “IP/Netmask” | Update the “DHCP Server” settings | Click “OK”
At the conclusion of this step, you are now ready to add a FortiGate and have the FortiManager automatically assign the configuration.
Configuration via FortiManager Scripting
The FortiManager supports applying scripts to the model device so that the administrator can create re-usable configurations to apply against multiple model devices at the same time. This is useful when you have a common template to apply to multiple FortiGates but may have slight differences. Follow the procedure below to create a script and assign it to a model device:
1.Under the “Device Manager” | Click “Scripts” | Click “Create New”
2. Click “Create New” | Populate the “Script Name”, “Script details” | Click “OK” as shown below:
config system interface edit "internal" set vdom "root" set ip 10.168.1.1 255.255.255.0 set allowaccess ping https ssh http fgfm capwap set type hard-switch set stp enable set role lan next end config system dhcp server edit 1 set dns-service default set default-gateway 10.168.1.1 set netmask 255.255.255.0 set interface "internal" config ip-range edit 1 set start-ip 10.168.1.200 set end-ip 10.168.1.210 next end next end
3. Right-Click “change_internal” script | Select “Run Script”
4. Select the model device (i.e. “My60E-PSK”) | Click “Run Now”
5.Confirm that the script ran successfully
At this point, the FortiManager will push the configuration to the FortiGate upon registration.
Configuration via import revision
This final method is useful for if you have taken a backup of the FortiGate or use a third party program to generate the configuration to import in its entirety. Follow the procedure below to apply a configuration to the model device via the “import revision” procedure:
1.Double-click the “model device” (i.e. “My60E-PSK”)
2.Click “System: Dashboard” | Click the “revision history” button
3. Right-click the row with “No entry found” | Click “Import Revision”
4.Click “Browse” | Select the file | Click “Open” | Click “OK”
5.Confirm successful importing of the revision | Click “Close”
At this point, the FortiManager is ready to automatically push the configuration out to the FortiGate upon registration.
No way to automatically update FortiOS firmware as part of the zero-touch process. Policy package has to be manually installed from the FortiManager to bring the device in sync.
In the next article, I will walk through configuring the FortiGate to automatically download the configuration from the FortiManager as part of the zero touch provisioning process.