Zero(ish) Touch Provisioning with FortiManager – Explained
Zero touch provisioning is one of those marketing words that means different things to different vendors. When you boil it down past the marketing fluff, it basically means to assign a configuration to a device without user intervention preferably before having access to the physical hardware. There are a few methods to achieve this type of functionality with the FortiGate. This blog post will focus on the solution with FortiManager.
Why is this important?
This particular functionality aims to solve an interesting problem. It tries to reduce the “human error” element when configuring a device for deployment. Whether it is caused the stress of a short window, the unfamiliarity with the platform or just having (not so) “smart” hands that are being supported remotely, there’s always a chance for the person installing the configuration to make a slight error that turns a 2 minute outage to a 2 hour outage.
Having a non stressful/low pressure environment to properly plan and apply a configuration beforehand tremendously increases the chances for a successful deployment. In a sense, this feature let’s you have a short moment during deployment where the engineer can take their “hands off the wheel” while the configuration is pushed to the device.
In addition to that, this functionality is important because it allows the administrator to set up a configuration for a device prior to having access to the physical (or virtual) device. This can allow the administrator to use offline tools to bulk configure devices and deploy them quickly. Fortinet provides a few tools to accomplish this when deploying the FortiGate firewall.
The FortiManager is the centralized management solution for FortiGate devices. It indirectly manages the FortiAP, FortiSwitches and other Secure Access products via the FortiGate. To support the zero(ish) touch configuration, the FortiManager leverages the “Add Model Device” feature that allows a user to provision a model device and automatically apply the configuration associated with that model device once a FortiGate with a matching identifier is registered to the FortiManager.
The reason I refer to this method as “Zero(ish)” is because this method does require the administrator to interact with the provisioned device to kick-off the provisioning process from the FortiManager.
Add Model Device
The FortiManager can perform matching for a registered FortiGate based on the two following characteristics:
- FortiGate Serial Number
- Pre-shared key
FortiGate Serial Number
The FortiGate serial number configures the FortiManager to automatically push a configuration down to a FortiGate when it provides the matching serial as part of its registration into the FortiManager.
The Pre-shared key allows the FortiGate to register and then push down a configuration once a command has been executed from the FortiGate containing the pre-shared key that contains the key that matches the configured model FortiGate. This is most useful when you do not know the FortiGate’s serial number ahead of time, but want to configure a template firewall in FortiManager.
Caveats with FortiManager
An important caveat to understand is that this method only supports pushing a configuration from the FortiManager to the FortiGate without much interaction. It is important that the administrator makes sure that the FortiGate is at the proper firmware prior to connecting to the FortiManager to ensure that the configuration is compatible with the FortiGate it is being deployed to.
The FortiGate has many zero-touch (low-touch) methods to provision its connectivity to an assigned FortiManager. Those methods are the following:
- Connect to FortiManager via the WebGUI (low-touch)
- Connect to FortiManager via the CLI (low-touch)
- Connect to FortiManager via DHCP option (low-touch)
- Connect to FortiManager via auto-install script via USB (low-touch)
- Connect to FortiManager with FortiDeploy via FortiCloud (zero-touch)
Connect via WebGUI
The administrator can initiate a connection to the FortiManager via the FortiOS WebGUI. Once the connection has been established between the FortiManager and the FortiGate, the FortiManager will automatically provision the configuration down to the FortiGate. This method supports defining the FortiGate “serial number” under the “Add model device” section of the FortiManager.
Connect via the CLI
The administrator can initiate a connection to the FortiManager via the FortiOS CLI. This method only supports the “pre-shared key” definition under the “Add Model Device” section of the FortiManager. The registration can be done either through local console connection or via SSH (if configured).
Once a connection has been established between the FortiManager and the FortiGate, the FortiGate administrator will need to kick off the register device via the following command:
exec central-mgmt register-device <FMG serial> <pre-shared key>
Connect via the DHCP Option
The administrator can define a DHCP option to instruct the FortiGate to initiate a connection to the FortiManager based on the value of those options. The option number and value correspond to the following:
|240||FortiManager IP Address|
Upon receiving this option as part of the DHCP offer from the DHCP server, the FortiGate will populate the IP or FQDN of the FortiManager similar to what is shown above in the CLI section.
Connect via Auto-Install Script
The administrator can provision a configuration that the FortiGate will automatically load during its boot process. The added benefit of this method is that the administrator can also specify a FortiGate firmware that will be loaded prior to the application of the configuration.
Please Note: There is an option to load the full configuration using this method but this is out scope for the purpose of this article. I will write an article at a later date to provide a full overview of this feature.
Connect via FortiCloud FortiDeploy
The administrator can register the FortiGate into the FortiCloud via a cloud key. Registering a specific cloud key for a FortiGate ties its serial number to an account within FortiCloud. Once the FortiGate serial number has been tied to the FortiCloud account, the user can configure the FortiGate to automatically register to a specific FortiManager upon connecting to the Internet and receiving this information from the FortiCloud. At the time of writing this article, this is the only true zero touch deployment option I am aware of.
I will be creating some follow up articles to explain how to use each of these methods to provision a FortiGate however I wanted to set a foundation to explain the concept of how this works prior to doing so.