Help
FortiCloud Products
FortiCloud Products
fgallardo1
Staff
Staff

Created on ‎08-31-2024 06:08 AM Edited on ‎08-06-2025 10:32 PM By Moderator

Article Id 337987

Technical Tip: Provisioning FortiGate with FortiZTP

Description

This article describes that the FortiZTP (Zero touch provisioning) allows automatic device configuration and management, it reduces the task management  effort by enabling easier remote deployment of different Fortinet devices including:

  • FortiGate.
  • FortiGate-VM.
  • FortiWifi.
  • FortiAP.
  • FortiSwitch.
  • FortiExtender.

FortiZTP integrates with other FortiCloud services called provisioning targets for centralized management, including:

  • FortiGate Cloud.
  • FortiManager.
  • FortiManager Cloud.
  • FortiLAN Cloud.
  • FortiExtender Cloud.
  • FortiSASE.

For testing purposes, a FortiGate-VM and FortiManager cloud will be used to demonstrate the configuration process.


Note: Appropriate licenses for the services used as provisioning targets should be acquired. For more details, refer to this document, FortiZTP Requirements.
Scope FortiZTP v7.2.3.
Solution

The following steps describe how to provision a FortiGate device from FortiZTP and Centrally Manage it using FortiManager Cloud.

 

  1. Register the FortiGate device on the Asset Management Portal in the same FortiCloud account. This will allow the device to be available for FortiZTP.

  2. Access the FortiZTP using the URL (https://fortiztp.forticloud.com/), and the summary view is displayed:
                                                        

                                                    fgallardo1_0-1725052170988.png

 

FortiGate Configuration.

 

  1. The FortiGate device must be factory reset and licensed before it is provisioned.

    The FortiGate model in this example has DHCP enabled on port1 by default. To figure out the management IP on that port, it is possible to execute the following command:

     

 

diagnose ip address list

 

With the previous information, access the web interface via HTTP port 80 and install the license file, and the system will reboot.

 

  1. Refer to this document for the requirements and configuring DHCP:
    FortiGate-VM licensing 

 

  1. Back on FortiZTP, Provision FortiGate-VM to FortiManager Cloud, select the device to be provisioned and select the Provision button, select FortiManager Cloud as Target Location: 
                                          

                                                         fgallardo1_1-1725052170992.png

    

  1. Select the 'Provision Now' button.

 

                                                         fgallardo1_2-1725052170993.png

 

  1. On the FortiZTP summary, confirm if the FortiGate is provisioned:
                                     

                                                         fgallardo1_3-1725052170994.png

 

  1. Go to the FortiManager Cloud (FortiManager Cloud), on the Device Manager. 'Right-click' the FortiGate device and select Edit, or select the device and select the edit button. 

 

                                                           fgallardo1_4-1725052170996.png

 

  1. Enable Automatically Link to Real Device, then select OK.
                                               

                                                            fgallardo1_5-1725052170998.png

 

  1. In the admin user/password section, fill in FortiGate’s admin user and password.

 

                                                             fgallardo1_6-1725052170998.png

 

  1. Select the OK button.

 

  1. If needed, change the Name to a file for a custom name.

 

                                                          fgallardo1_7-1725052171000.png

 

  1. Create a new Policy Package, from Policy & Objects -> Policy Packages -> Select the Default Policy Package -> 'Right Click' on New -> Create New Policy Package.

Name: Branch1.

Leave the rest of the fields as the default and select OK.
                                      

                                                             fgallardo1_8-1725052171001.png

 

  1. Go to Policy & Objects -> Policy Packages -> Branch1 -> Firewall Policy -> + Create new, fill in the following fields as follows, and select OK:

Name: Internet_Access_from_DMZ.

Incoming Interface: Port2.

Outgoing interface: Port1.

Source: All.

Destination: All.

Service: All.

Action: Accept.

Inspection Mode: Flow-based.

NAT: enable.

Change note: Firewall policy to enable DMZ network access to the internet.

 

  1. Go to Policy & Objects -> Policy Packages -> Branch1 -> Installation Targets -> Edit -> Edit Installation Targets.

 

Select the Branch1 device and select OK. 

 

                                                             fgallardo1_9-1725052171002.png

 

  1. Select the Install Wizard -> Install Policy Package & Device Settings.

Confirm the installation of the policy package and proceed. 

                                                                 fgallardo1_10-1725052171003.png

                                                   fgallardo1_11-1725052171005.png

 

  1. Confirm if the installation was applied on the FortiGate, from Device Manager -> Select Branch1 -> Dashboard -> Summary -> System Information -> Operation -> Select connect to CLI via SSH.

                                                   fgallardo1_12-1725052171006.png

 

  1. Log in as admin user and password.

                                                    fgallardo1_13-1725052171007.png

 

878
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.