Skip to main content
hgarara
Staff
hgarara
Staff
March 19, 2026

Technical Tip: Provisioning central management on FortiGate using FortiZTP Pre-run CLI scripts with variables

  • March 19, 2026
  • 0 replies
  • 270 views

Description

This article describes how to provision a FortiGate device with central-management settings using the FortiZTP portal with pre-run CLI templates, specifically using built-in variables.

Scope

FortiGate, FortiZTP, FortiManager

Solution

Before starting, ensure the FortiGate is powered on, has internet access, and is registered on FortiCloud.

Initially, the FortiGate status on the FortiZTP portal will appear as 'Unprovisioned'.

image (11).png

 

Step 1: Configure Provision Target

  1. Log in to the FortiZTP portal.

  2. Navigate to: Settings -> FortiGate-> Provision Target

  3. Enable FortiManager as the provisioning target.

  4. Add the FortiManager details (serial number and IP address).

 
image (9).png
Step 2: Create a Pre-run CLI Template
Pre-run CLI scripts are executed before the FortiGate connects to FortiManager. These scripts should remain minimal and only include essential configuration required for onboarding.

  1. Go to the Pre-run CLI Scripts tab.

  2. Select Add to create a new script.

  3. Provide a name (e.g test-fortigate).

  4. Enter the CLI configuration , the three variables values are resolved using:

    • FortiGate information already registered in FortiCloud.
    • FortiManager details configured in Step 1.

image (10).png


Step 3: Provision the FortiGate

  1. Navigate to Assets in the FortiZTP portal.

  2. Select the checkbox for the desired FortiGate device(s).

  3. Select Provision.

  4. Under Target Location:

    • Select the configured FortiManager (e.g. FortiManager (FMGXYZOMXXXXXXXX/192.168.55.5))

    • Enable Pre-Run CLI

    • Choose Specify, then select the script created earlier "test-fortigate".

     

  5. Select Provision to begin the process.


image (12).png     

Step 4: Monitor Provisioning Status

 

The device status will change to Incomplete - Waiting during provisioning.

 

image (13).png     

This process may take a few minutes.

  • Ensure that the FortiGate is powered on and has internet connectivity

If provisioning does not complete:

  • Reboot the FortiGate and allow it to reconnect

Results:
Once provisioning is successful, the device status will change to 'Provisioned' in the FortiZTP portal.

image (14).png
image (15).png
image (16).png
Note: 

FortiZTP provisioning is minimalist by design. It is not intended for pushing full configurations like the FortiManager can. FortiZTP is only intended to include essential bootstrap configuration in pre-run scripts.

 

If the FortiGate fails to connect to the provisioning target after provisioning:

  • Perform a factory reset
  • De-provision the device from the portal
  • Restart the provisioning process

Related document:

Provisioning a FortiGate | FortiZTP Administration Guide
Terms & ConditionsAccessibility statement