Help
FortiCloud Products
FortiCloud Products
fgallardo1
Staff
Staff

Created on ‎08-31-2024 06:08 AM

Article Id 337987

Technical Tip: Provisioning FortiGate with FortiZTP

Description

This article describes that the FortiZTP (Zero touch provisioning) allows automatic device configuration and management, it reduces the task management  effort by enabling easier remote deployment of different Fortinet devices including:

  • FortiGate.
  • FortiGate-VM.
  • FortiWifi.
  • FortiAP.
  • FortiSwitch.
  • FortiExtender.

FortiZTP integrates with other FortiCloud services called provisioning targets for centralized management including:

  • FortiGate Cloud.
  • FortiManager.
  • FortiManager Cloud.
  • FortiLAN Cloud.
  • FortiExtender Cloud.
  • FortiSASE.

For testing purposes, a FortiGate-VM and FortiManager cloud will be used to demonstrate the configuration process.
Scope FortiZTP 7.2.3.
Solution

The following steps describe how to provision a FortiGate device from FortiZTP and Centrally Manage using FortiManager Cloud.

 

  1. Register the FortiGate device on the Asset Management Portal in the same FortiCloud account, this will allow the device to be available for FortiZTP.

  2. Access the FortiZTP using the URL (https://fortiztp.forticloud.com/), the summary view is displayed:
                                                        

                                                    fgallardo1_0-1725052170988.png

 

FortiGate Configuration.

 

  1. The FortiGate device must be factory reset and licensed before it is provisioned.

    The FortiGate model in this example has DHCP enabled on port1 by default, to figure out the management IP on that port it is possible to execute the following command:

     

    diagnose ip address list

     

    With the previous information access the web interface via HTTP port 80 and install the license file, and the system will reboot.

     

    1. Refer to this document for the requirements and configuring DHCP:
      FortiGate-VM licensing 

     

    1. Back on FortiZTP, Provision FortiGate-VM to FortiManager Cloud, Select the device to be provisioned and select the Provision button, select FortiManager Cloud as Target Location: 
                                            

                                                             fgallardo1_1-1725052170992.png

     

    1. Select the 'Provision Now' button.

     

                                                             fgallardo1_2-1725052170993.png

     

    1. On the FortiZTP summary confirm if the FortiGate is provisioned:
                                       

                                                             fgallardo1_3-1725052170994.png

     

    1. Go to the FortiManager Cloud (https://fortimanager.forticloud.com/), on the Device Manager. 'Right-click' the FortiGate device and select Edit or select the device and select the edit button. 

     

                                                               fgallardo1_4-1725052170996.png

     

    1. Enable Automatically Link to Real Device, then select OK.
                                                 

                                                                fgallardo1_5-1725052170998.png

     

    1. On the admin user/password section fill in FortiGate’s admin user and password.

     

                                                                 fgallardo1_6-1725052170998.png

     

    1. Select the OK button.

     

    1. If needed, change the Name to file for a custom name.

     

                                                              fgallardo1_7-1725052171000.png

     

    1. Create a new Policy Package, from Policy & Objects -> Policy Packages -> Select the Default Policy Package -> 'Right Click' on New -> Create New Policy Package.

    Name: Branch1.

    Leave the rest of the fields as default and select OK.
                                          

                                                                 fgallardo1_8-1725052171001.png

     

    1. Go to Policy & Objects -> Policy Packages -> Branch1 -> Firewall Policy -> + Create new, fill in the following fields as follows, and select OK:

    Name: Internet_Access_from_DMZ.

    Incoming Interface: Port2.

    Outgoing interface: Port1.

    Source: All.

    Destination: All.

    Service: All.

    Action: Accept.

    Inspection Mode: Flow-based.

    NAT: enable.

    Change note: Firewall policy to enable DMZ network access to the internet.

     

    1. Go to Policy & Objects -> Policy Packages -> Branch1 -> Installation Targets -> Edit -> Edit Installation Targets.

     

    Select the Branch1 device and select OK. 

     

     

                                                                 fgallardo1_9-1725052171002.png

     

    1. Select the install Wizard -> Install Policy Package & Device Settings.

    Confirm the installation of the policy package and proceed. 

     

                                                                     fgallardo1_10-1725052171003.png

     

     

                                                       fgallardo1_11-1725052171005.png

    1. Confirm if the installation was applied on the FortiGate, from Device Manager -> Select Branch1 -> Dashboard -> Summary -> System Information -> Operation -> Select connect to CLI via SSH.

     

                                                        fgallardo1_12-1725052171006.png

     

    1. Login as admin user and password.

     

                                                        fgallardo1_13-1725052171007.png
120
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.