FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sparta_FTNT
Staff
Staff
Description
This article explains the Zero touch provisioning of FortiGate using  FortiDeploy.

Useful links:
Fortinet Documentation
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiDeploy.pdf

Solution
FortiDeploy is a feature, built into FortiCloud that allows for simplified import and provisioning of any quantity of devices.
It allows the user to deploy local or remote installed FortiGates and FortiAPs to their preferred management interface with a few clicks.

This feature is supported only when the FortiGate boots up from factory reset

Topology


Configuration steps:

1) Add the FortiGate Cloud product key to the FortiGate Cloud portal so that the FortiGate serial number appears in the portal.


2) Set up a configuration template with the basic configuration in the FortiGate Cloud portal.
3) Deploy the FortiGate to FortiGate Cloud with that template.





4) Ensure the FortiGate has an interface in default DHCP client mode and is connected to the ISP outlet.
5) Boot the FortiGate in factory reset. The FortiGate gets the DHCP lease so that it can access FortiGate Cloud in the Internet and join FortiGate Cloud.


Check the status through console:-
Initializing firewall...
System is starting...
FortiGate-201E login: admin
Password:
Welcome !
FortiGate-201E #
FortiGate-201E # dia debug cli 7
Debug messages will be on for 30 minutes.
FortiGate-201E # 0: config system fortiguard
0: set service-account-id "jxue@fortinet.com"
0: end
0: config log fortiguard setting
0: set status enable
0: end
FortiGate-201E # dia test application forticldd 1
System=FGT Platform=FG201E
Management vdom: root, id=0, ha=master.
acct_id=jxue@fortinet.com
acct_st=OK
FortiGuard log: status=enabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0
Centra Management: type=FGD, flags=000000bf.
active-tasks=0
FortiGate-201E #
The FortiGate Cloud server checks that the FortiGate key is valid and then deploys the FortiGate to FortiGate Cloud.
To prevent spoofing, FortiGate Cloud invalidates that key after a successful join.

6) Complete zero touch provisioning by obtaining configuration from platform template in the Cloud.
0:set admintimeout 50
0: end
0: config system interface
0:edit "wan1"
0:set allowaccess ping ssh fgfm
0:next
0:edit "port1"
0:set allowaccess ping
0:set ip 1.1.1.1 255.255.255.0
0:next
0:edit "port2"
0:set allowaccess ping
0:set ip 2.2.2.2 255.255.255.0
0:next
0: end

7) The FortiGate Cloud admin can change the template for different configuration requirements and then deploy the updated template to the FortiGate.

For example, add a secondary DNS to the template and deploy it to FortiGate.



Contributors