Help
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
fgallardo1
Staff
Staff

Created on ‎01-12-2026 01:24 PM Edited on ‎01-12-2026 01:33 PM By Community Manager

Article Id 337973

Technical Tip: Provisioning FortiGate with FortiZTP

Description

This article describes how the FortiZTP (Zero touch provisioning) allows automatic device configuration and management, it reduces the task management effort by enabling easier remote deployment of different Fortinet devices, including:

  • FortiGate.
  • FortiGate-VM.
  • FortiWifi.
  • FortiAP.
  • FortiSwitch.
  • FortiExtender.

 

FortiZTP integrates with other FortiCloud services called provisioning targets for centralized management, including:

  • FortiGate Cloud.
  • FortiManager.
  • FortiManager Cloud.
  • FortiLAN Cloud.
  • FortiExtender Cloud.
  • FortiSASE.

For testing purposes, a FortiGate-VM and FortiManager cloud will be used to demonstrate the configuration process.
Scope

FortiZTP v7.2.3, FortiManagerCloud v7.2.3, FortiGate-VM v7.2.4.
Solution

The following steps describe how to provision a FortiGate device from FortiZTP and Centrally Manage using FortiManager Cloud.

 

    1. Register the FortiGate device on the Asset Management Portal in the same FortiCloud account. This will allow the device to be available for FortiZTP. 

 

  1. Access the FortiZTP and view the summary:

 

                                                    fgallardo1_0-1725052170988.png

 

FortiGate Configuration.

 

  1. The FortiGate device must be factory reset and licensed before it is provisioned.

The FortiGate model in this example has DHCP enabled on port1 by default. To figure out the management IP on that port, it is possible to execute the following command:

 

diagnose ip address list

 

With the previous information, access the web interface via HTTP port 80 and install the license file. The system will reboot.

 

  1. FortiZTP requires a FortiGate model that supports the zero-touch provisioning (autojoin) feature. FortiGate/FortiWiFi/POE desktop and 1U models up to 100F support the zero-touch provisioning feature. For other models, FortiZTP supports one-touch provisioning. For these models, configure DHCP on the port of choice. 

 

config system fortiguard

    set auto-join-forticloud enable

end

 

config system central-management

    set type fortiguard

end

 

  1. Back on FortiZTP, Provision FortiGate-VM to FortiManager Cloud, select the device to be provisioned and Provision, and select FortiManager Cloud as Target Location: 

 

                                                         fgallardo1_1-1725052170992.png

 

  1. Select Provision Now.

 

                                                         fgallardo1_2-1725052170993.png

 

  1. Confirm whether the FortiGate is provisioned on the FortiZTP summary:

 

                                                         fgallardo1_3-1725052170994.png

 

  1. Go to the FortiManager Cloud site, Login and in the tree menu, select Device Manager. 'Right-click' the FortiGate device and select Edit, or select the device and select the edit button. 

 

                                                           fgallardo1_4-1725052170996.png

 

  1. Enable Automatically Link to Real Device, then select OK.

 

                                                            fgallardo1_5-1725052170998.png

 

  1. In the admin user/password section, fill in the FortiGate’s admin user and password.

 

                                                             fgallardo1_6-1725052170998.png

 

  1. Select OK.

 

  1. If needed, change the Name to field for a custom name.

 

                                                          fgallardo1_7-1725052171000.png

 

  1. Create a new Policy Package, from Policy & Objects -> Policy Packages -> Select the Default Policy Package -> 'Right Click' on New -> Create New Policy Package.

Name: Branch1.

Leave the rest of the fields as default and select OK.

 

                                                             fgallardo1_8-1725052171001.png

 

  1. Go to Policy & Objects -> Policy Packages -> Branch1 -> Firewall Policy -> + Create new, fill the following fields as follows, and select OK:

Name: Internet_Access_from_DMZ.

Incoming Interface: Port2.

Outgoing interface: Port1.

Source: All.

Destination: All.

Service: All.

Action: Accept.

Inspection Mode: Flow-based.

NAT: enable.

Change note: Firewall policy to enable DMZ network access to the internet.

 

  1. Go to Policy & Objects -> Policy Packages -> Branch1 -> Installation Targets -> Edit -> Edit Installation Targets.

Select the Branch1 device and select OK. 

 

                                                             fgallardo1_9-1725052171002.png

 

  1. Select the Install Wizard -> Install Policy Package & Device Settings.

Confirm the installation of the policy package and proceed. 

 

                                                                 fgallardo1_10-1725052171003.png

                                                 fgallardo1_11-1725052171005.png

 

  1. Confirm if the installation was applied on the FortiGate, from Device Manager -> Select Branch1 -> Dashboard -> Summary -> System Information -> Operation -> Select the connect to CLI via SSH.

 

                                                    fgallardo1_12-1725052171006.png

 

  1. Log in as the admin user with and password.

 

                                                    fgallardo1_13-1725052171007.png
138
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.