Skip to main content
monro
monro
New Member
January 25, 2024
Question

FortiManager - Deployment of 36 Firewalls

  • January 25, 2024
  • 2 replies
  • 1265 views

Hi!

I'm setting up a replacement for a Hub and Spoke with a Fortigate ranging from 40F-100F

I thought about using Provisioning Templates to basically use ZTP and Authorize those devices and then aplplying IPSEC Templates (Hub and Spoke) to setup a tunnel from the get go.

I see quite a few people with that kind of Setup, but they are all talking about per device mappings to normalized Interfaces and then using Meta Field Variables for the local subnets. This is fine, but then first need to add the Fortigate and then add it to the 'per device mapping' I haven't tried that yet, but that seems like a more non-ztp'ish way of doing stuff.

We'll deploy mainly 2 Types of Policy-Packages to those Devices (Spoke-A and Spoke-b) Basically due to complexity for some of the branches..

How would you aprouch that kind of a Setup?

2 replies

sw2090
SuperUser
sw2090
SuperUser
January 26, 2024

At least as far as normalized interfaces are concerned you could also use per plattform mappings. So you set one mapping for each FGT model you have and when ever you add a FGT of that model to the ADOM it will get that mapping upon deployment.

Addressobjects only need to have a per device mapping if they are device specific. Objects that are the same for all your FGT don't need a mapping at all.

If you have more than one adom you can create addressobjects in global adom and assign them.

Terms & ConditionsAccessibility statement