Description
This article explains the Zero touch provisioning of FortiGate using FortiDeploy.
Useful link:
https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/FortiDeploy.pdf
Solution
FortiDeploy is a feature, built into FortiCloud that allows for simplified import and provisioning of any quantity of devices.
It allows the user to deploy local or remote installed FortiGates and FortiAPs to their preferred management interface with a few clicks.
This feature is supported only when the FortiGate boots up from factory reset
Topology
Configuration steps:
1) Add the FortiGate Cloud product key to the FortiGate Cloud portal so that the FortiGate serial number appears in the portal.
1) Add the FortiGate Cloud product key to the FortiGate Cloud portal so that the FortiGate serial number appears in the portal.
2) Set up a configuration template with the basic configuration in the FortiGate Cloud portal.
3) Deploy the FortiGate to FortiGate Cloud with that template.
3) Deploy the FortiGate to FortiGate Cloud with that template.
4) Ensure the FortiGate has an interface in default DHCP client mode and is connected to the ISP outlet.
5) Boot the FortiGate in factory reset. The FortiGate gets the DHCP lease so that it can access FortiGate Cloud in the Internet and join FortiGate Cloud.
5) Boot the FortiGate in factory reset. The FortiGate gets the DHCP lease so that it can access FortiGate Cloud in the Internet and join FortiGate Cloud.
Check the status through console:-
To prevent spoofing, FortiGate Cloud invalidates that key after a successful join.
6) Complete zero touch provisioning by obtaining configuration from platform template in the Cloud.
Initializing firewall...The FortiGate Cloud server checks that the FortiGate key is valid and then deploys the FortiGate to FortiGate Cloud.
System is starting...
FortiGate-201E login: admin
Password:
Welcome !
FortiGate-201E #
FortiGate-201E # dia debug cli 7
Debug messages will be on for 30 minutes.
FortiGate-201E # 0: config system fortiguard
0: set service-account-id "jxue@fortinet.com"
0: end
0: config log fortiguard setting
0: set status enable
0: end
FortiGate-201E # dia test application forticldd 1
System=FGT Platform=FG201E
Management vdom: root, id=0, ha=master.
acct_id=jxue@fortinet.com
acct_st=OK
FortiGuard log: status=enabled, full=overwrite, ssl_opt=1, source-ip=0.0.0.0
Centra Management: type=FGD, flags=000000bf.
active-tasks=0
FortiGate-201E #
To prevent spoofing, FortiGate Cloud invalidates that key after a successful join.
6) Complete zero touch provisioning by obtaining configuration from platform template in the Cloud.
0:set admintimeout 50
0: end
0: config system interface
0:edit "wan1"
0:set allowaccess ping ssh fgfm
0:next
0:edit "port1"
0:set allowaccess ping
0:set ip 1.1.1.1 255.255.255.0
0:next
0:edit "port2"
0:set allowaccess ping
0:set ip 2.2.2.2 255.255.255.0
0:next
0: end
7) The FortiGate Cloud admin can change the template for different configuration requirements and then deploy the updated template to the FortiGate.
For example, add a secondary DNS to the template and deploy it to FortiGate.
Related Article:
Labels: