Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
spathak
Staff
Staff

Created on ‎10-14-2020 02:52 AM Edited on ‎05-12-2022 04:43 AM By Community Manager

Article Id 197623

Technical Tip: How to perform zero touch provisioning with FortiManager

Description


Use this feature only when the FortiGate boots up from factory reset.
This feature is for FortiGate that cannot access the Internet.

A DHCP server includes option 240 and 241 which records FortiManager IP and domain name.
FortiGate has an interface with the default DHCP client mode that is connected to the DHCP server in the intranet.

The FortiManager admin can authorize the FortiGate the specific ADOMs and install specific configurations on the FortiGate.
In the whole operation, it is not necessary to do any manual configuration on the FortiGate except connect to the DHCP server.
This is called zero touch deployment.

To prevent spoofing, if a different FortiManager IP comes from the DHCP server later, FortiGate does not change the central management configuration.

This article describes how to perform zero touch provisioning with FortiManager.

Solution
Example of configuring DHCP server with option 240.

# config system dhcp server
    edit 2
        set dns-service default
        set default-gateway 172.16.200.254
        set netmask 255.255.255.0
        set interface "wan1"
        # config ip-range
            edit 2
                set start-ip 172.16.200.201
                set end-ip 172.16.200.209
            next
        end
        set timezone-option default
        # config options
            edit 1
                set code 240
                set type ip
                set ip "172.18.60.115"
            next
        end
    next
end

FortiGate zero touch provisioning workflow.
 Boot the FortiGate in factory reset.

 # diagnose fdsm fmg-auto-discovery-status
dhcp: fmg-ip=0.0.0.0, fmg-domain-name='', config-touched=0

config-touched=0 means no configuration change from the default

When FortiGate boots in factory reset, it gets the DHCP lease including IP, gateway, DNS, and the FortiManager IP/URL.
Central management is automatically configured by using FortiManager IP in option 240.

# show system central-management
# config system central-management
    set type fortimanager
    set fmg "172.18.60.115"
end

If FortiGate changes from factory reset, you can see it in central management in config-touched=1.

# diagnose fdsm fmg-auto-discovery-status
dhcp: fmg-ip=172.18.60.115, fmg-domain-name='', config-touched=1(/bin/dhcpcd)

Example of a spoofing DHCP server with a fake FortiManager IP.

# config options
    edit 1
        set code 240
        set type ip
        set ip "172.18.60.117"
    end

After FortiGate reboots and gets DHCP renew, central management will not use the fake FortiManager IP because config-touched=1 shows that the FortiGate is not in factory reset.

# diagnose fdsm fmg-auto-discovery-status
dhcp: fmg-ip=0.0.0.0, fmg-domain-name='', config-touched=1(/bin/dhcpcd)

# show system central-management
config system central-management
    set type fortimanager
    set fmg "172.18.60.115"
end

Related document:

Technical Tip: ZTP basic configuration and troubleshooting for a standalone FortiGate

7211
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.