Does anyone here able to achieve the Zero Touch Deployment? 1 have 1 DC and more than 1K branches, having FortiCloud key on remotes FG's and FortiManager resides in DC.
All 1K branches having 2 WAN links (mpls and dsl) will eventually connected to my FG resides in DC via IPSEC tunnel.
What would be the possible/magical setup :) that once I brought my FG to one of my branch ipsec tunnel would bring up automatically. Script, FMGR template are good enough to say Zero Touch Deployment is feasible?
Any thoughts is much appreciated.
All devices are running on FOS 6.0.7
regards
Fullmoon
Fortigate Newbie
You want to look at auto-install. It requires a usb-drive and you populate the cfg on the drive and ship the FGT with the drive. If you are doing the same model-type over and over, then a simple boring config could be used to pre-populate the unit at the new site.
If the remote-sites are DHCP/PPoE for the WAN it even gets simple with re-using the configuration file. Just make sure to use a phase1-ID-TYPE for the IPSEC tunnel that uniquely defines that peer-id.
I.E FQDN | User-Email
Once you have the new site up, you can load the final cfg or make adjustments for that site.
I publish probably 100s if not thousands of sites using this way and it works good if your information is vetted and correct. So since we had dynamic assigned, our config file only required the correct internal LAN subnet and almost everything else was global across the MSSP domain ( user account, admin account, RADIUS, logging, etc....)
It would also help to test the config on a test ISP link and tweak what you need as you develop your auto-install process.
YMMV, but auto-install is a 5star "+"
Ken Felix
PCNSE
NSE
StrongSwan
Dear @emnoc.
Appreciate for taking my post and sharing your handful experiences.
Please correct me if im wrong with my syntax.
Assuming I followed all the guidelines stated in the link you provided
This would be the content of my usb script?
config syst auto-install
set auto-install-config enable
end
#setting the WAN1 interface mode to Manual
config system interface
edit wan1
set mode static
set ip 10.10.10.255.255.255.0
set allowaccess ping https
next
end
If this is not the right one, apology for my ignorance. :)
Fortigate Newbie
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.