Skip to main content
Fullmoon
Fullmoon
New Member
November 28, 2019
Question

Zero Touch Deployment

  • November 28, 2019
  • 1 reply
  • 3507 views

Does anyone here able to achieve the Zero Touch Deployment? 1 have 1 DC and more than 1K branches, having FortiCloud key on remotes FG's and FortiManager resides in DC.

All 1K branches having 2 WAN links (mpls and dsl) will eventually connected to my FG resides in DC via IPSEC tunnel.

 

What would be the possible/magical setup :) that once I brought my FG to one of my branch ipsec tunnel would bring up automatically. Script, FMGR template are good enough to say Zero Touch Deployment is feasible?

 

Any thoughts is much appreciated.

 

All devices are running on FOS 6.0.7

 

regards

Fullmoon

 

 

 

 

 

 

    1 reply

    emnoc
    emnoc
    New Member
    November 28, 2019

    You want to look at auto-install. It requires a usb-drive and you populate the cfg on the drive and ship the FGT with the drive. If you are doing the same model-type over and over, then a simple boring config could be used to pre-populate the unit at the new site. 

     

    If the remote-sites are DHCP/PPoE for the WAN it even gets simple with re-using the configuration file. Just make sure to use a phase1-ID-TYPE for the IPSEC tunnel that uniquely defines that peer-id.

     

    I.E FQDN | User-Email

     

    Once you have the new site up, you can load the final cfg or make adjustments for that site. 

     

    https://help.fortinet.com/cli/fos60hlp/60/Content/FortiOS/fortiOS-cli-ref/config/system/auto-install.htm

     

    I publish probably 100s if not thousands of sites using this way and it works good if your information is vetted and correct. So since we had dynamic assigned, our config file only required the correct internal LAN subnet and almost everything else was global across the  MSSP domain ( user account, admin account, RADIUS, logging, etc....)

     

    It would also help to test the config on a test ISP link and tweak what you need as you develop your auto-install process.

     

    YMMV, but auto-install is a 5star  "+"

     

    Ken Felix

     

    Fullmoon
    FullmoonAuthor
    New Member
    November 28, 2019

    Dear @emnoc.

     

    Appreciate for taking my post and sharing your handful experiences.

    Please correct me if im wrong with my syntax.

     

    Assuming I followed all the guidelines stated in the link you provided

    This would be the content of my usb script?

     

    config syst auto-install

    set auto-install-config enable

    end

     

    #setting the WAN1 interface mode to Manual

    config system interface

    edit wan1

    set mode static

    set ip 10.10.10.255.255.255.0

    set allowaccess ping https

    next

    end

     

    If this is not the right one, apology for my ignorance. :)

    Terms & ConditionsAccessibility statement