Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Fullmoon
Contributor III

Zero Touch Deployment

Does anyone here able to achieve the Zero Touch Deployment? 1 have 1 DC and more than 1K branches, having FortiCloud key on remotes FG's and FortiManager resides in DC.

All 1K branches having 2 WAN links (mpls and dsl) will eventually connected to my FG resides in DC via IPSEC tunnel.

 

What would be the possible/magical setup :) that once I brought my FG to one of my branch ipsec tunnel would bring up automatically. Script, FMGR template are good enough to say Zero Touch Deployment is feasible?

 

Any thoughts is much appreciated.

 

All devices are running on FOS 6.0.7

 

regards

Fullmoon

 

 

 

 

 

 

Fortigate Newbie

Fortigate Newbie
2 REPLIES 2
emnoc
Esteemed Contributor III

You want to look at auto-install. It requires a usb-drive and you populate the cfg on the drive and ship the FGT with the drive. If you are doing the same model-type over and over, then a simple boring config could be used to pre-populate the unit at the new site. 

 

If the remote-sites are DHCP/PPoE for the WAN it even gets simple with re-using the configuration file. Just make sure to use a phase1-ID-TYPE for the IPSEC tunnel that uniquely defines that peer-id.

 

I.E FQDN | User-Email

 

Once you have the new site up, you can load the final cfg or make adjustments for that site. 

 

https://help.fortinet.com/cli/fos60hlp/60/Content/FortiOS/fortiOS-cli-ref/config/system/auto-install...

 

I publish probably 100s if not thousands of sites using this way and it works good if your information is vetted and correct. So since we had dynamic assigned, our config file only required the correct internal LAN subnet and almost everything else was global across the  MSSP domain ( user account, admin account, RADIUS, logging, etc....)

 

It would also help to test the config on a test ISP link and tweak what you need as you develop your auto-install process.

 

YMMV, but auto-install is a 5star  "+"

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Fullmoon
Contributor III

Dear @emnoc.

 

Appreciate for taking my post and sharing your handful experiences.

Please correct me if im wrong with my syntax.

 

Assuming I followed all the guidelines stated in the link you provided

This would be the content of my usb script?

 

config syst auto-install

set auto-install-config enable

end

 

#setting the WAN1 interface mode to Manual

config system interface

edit wan1

set mode static

set ip 10.10.10.255.255.255.0

set allowaccess ping https

next

end

 

If this is not the right one, apology for my ignorance. :)

Fortigate Newbie

Fortigate Newbie
Labels
Top Kudoed Authors