FortiGate Zero Touch Provisioning (ZTP) & Low Touch Provisioning
Joining Fortinet as a Systems Engineer, I’m 6 months in and one of the coolest ways to deploy a FortiGate firewall is one of the many Zero Touch Provisioning (ZTP) or low touch provisioning methods. I wanted to highlight each of these here to help you plan your rollout!
USB Flash Drive
One technique to provisioning a FortiGate without pre-configuring it is to ship a USB Flash Drive along with the FortiGate. On the USB Flash Drive (formatted as FAT16), you’ll need two files in the root of the drive:
- fgt_system.conf = full config file
- image.out = image file
You’ll need to place the entire configuration for the FortiGate in that fgt_system.conf file and it needs to be specific to the FortiGate model, otherwise the interface layout won’t be correct. The easiest way to generate this is to take a “golden config” of a certain FortiGate model that you’re happy with and then modify the specific settings (i.e. IP addresses, hostname, etc.) for that FortiGate to be provisioned.
When you power on the FortiGate, have the USB flash drive connected first with that config and firmware image (image.out). By default, the FortiGate will load these, but if not then it could be that auto-install was disabled; if this is the case, refer to this KB article to enable it and then reboot: https://kb.fortinet.com/kb/documentLink.do?externalID=FD46528.
This method is low touch since you have to preconfigure the device (via USB flash drive config), but is an option when zero touch is not available (i.e. no DHCP on the WAN interface).
FortiDeploy is the method where you point your FortiGates to a FortiManager server when they boot up. This only works if the FortiGates are registered to your (or your organization’s) account. FortiGates that boot up first connect to FortiCloud to see if FortiDeploy had been setup. If so, FortiCloud responds with your FortiManager server information. Once the FortiGate connects to FortiManager, you can authorize it or have already preconfigured it so that it is authorized and receives its config on that first connection to FortiManager.
To setup FortiDeploy, login to your FortiCare account > Services > FortiGate Cloud > Inventory > FortiManager Setup. Here you’ll specify the FortiManager IP address and Serial Number:
Your FortiGates will have a sticker on them with a FortiCloud Key. In FortiGate Cloud, you can enter this key to register it so that it will ZTP to FortiManager when it boots. Or the easiest method is to ensure your Sales team includes the line item for FortiDeploy on your quote and your FortiGates will automatically be setup for FortiDeploy without you manually registering them. You would just pre-configure system templates, IPsec templates, CLI scripts, Policy Packages, etc. Then you’d add the device by Serial Number and assign these templates to the device. When the device boots up and connects to FortiManager, it would receive all that configuration and policies automatically. Voila!
FortiDeploy is a great zero touch method in that you can ship the FortiGate directly to the destination and as long as its WAN interface gets a DHCP address, then it’ll connect to your FortiManager server where you can configure it (and pre-configure it to achieve full Zero Touch Provisioning).
I just recently learned about this technique to configure your FortiGate from your phone! Using the FortiExplorer app and your phone connected to the USB port on the FortiGate, you can login to the FortiGate and perform some basic configurations such as setting IP addresses and static routes to make the FortiGate reachable across your network.
This Fortinet Cookbook has all the details you’ll need to use FortiExplorer: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/975982/getting-started-with-fortiexplorer.
This last option is provided by Fortinet Professional Services on an engagement and uses a mix of FortiManager API calls, scripts and FortiDeploy. PS would also help you pre-provision your FortiGates so that as soon as they connect to FortiManager, they’ll receive their full config and be up and running in no time at all. It’s slick and tailored to your environment for the engagement. And it can save a ton of time on the backend when provisioning hundreds and thousands of FortiGates/sites.
Thanks for reading and hopefully this will provide some help as you plan on deploying your FortiGates far and wide! Please post in the comments if you have any questions and I’ll do my best to respond.