Hot!Zero Touch Deployment

Author
Fullmoon
Platinum Member
  • Total Posts : 868
  • Scores: 13
  • Reward points: 0
  • Joined: 2010/08/02 18:02:10
  • Status: offline
2019/11/27 19:08:03 (permalink)
0

Zero Touch Deployment

Does anyone here able to achieve the Zero Touch Deployment? 1 have 1 DC and more than 1K branches, having FortiCloud key on remotes FG's and FortiManager resides in DC.
All 1K branches having 2 WAN links (mpls and dsl) will eventually connected to my FG resides in DC via IPSEC tunnel.
 
What would be the possible/magical setup :) that once I brought my FG to one of my branch ipsec tunnel would bring up automatically. Script, FMGR template are good enough to say Zero Touch Deployment is feasible?
 
Any thoughts is much appreciated.
 
All devices are running on FOS 6.0.7
 
regards
Fullmoon
 
 
 
 
 
 

Fortigate Newbie
#1

2 Replies Related Threads

    emnoc
    Expert Member
    • Total Posts : 5389
    • Scores: 353
    • Reward points: 0
    • Joined: 2008/03/20 13:30:33
    • Location: AUSTIN TX AREA
    • Status: offline
    Re: Zero Touch Deployment 2019/11/27 23:54:39 (permalink)
    0
    You want to look at auto-install. It requires a usb-drive and you populate the cfg on the drive and ship the FGT with the drive. If you are doing the same model-type over and over, then a simple boring config could be used to pre-populate the unit at the new site. 
     
    If the remote-sites are DHCP/PPoE for the WAN it even gets simple with re-using the configuration file. Just make sure to use a phase1-ID-TYPE for the IPSEC tunnel that uniquely defines that peer-id.
     
    I.E FQDN | User-Email
     
    Once you have the new site up, you can load the final cfg or make adjustments for that site. 
     
    https://help.fortinet.com/cli/fos60hlp/60/Content/FortiOS/fortiOS-cli-ref/config/system/auto-install.htm
     
    I publish probably 100s if not thousands of sites using this way and it works good if your information is vetted and correct. So since we had dynamic assigned, our config file only required the correct internal LAN subnet and almost everything else was global across the  MSSP domain ( user account, admin account, RADIUS, logging, etc....)
     
    It would also help to test the config on a test ISP link and tweak what you need as you develop your auto-install process.
     
    YMMV, but auto-install is a 5star  "+"
     
    Ken Felix
     

    PCNSE 
    NSE 
    StrongSwan  
    #2
    Fullmoon
    Platinum Member
    • Total Posts : 868
    • Scores: 13
    • Reward points: 0
    • Joined: 2010/08/02 18:02:10
    • Status: offline
    Re: Zero Touch Deployment 2019/11/28 03:44:49 (permalink)
    0
    Dear @emnoc.
     
    Appreciate for taking my post and sharing your handful experiences.
    Please correct me if im wrong with my syntax.
     
    Assuming I followed all the guidelines stated in the link you provided
    This would be the content of my usb script?
     
    config syst auto-install
    set auto-install-config enable
    end
     
    #setting the WAN1 interface mode to Manual
    config system interface
    edit wan1
    set mode static
    set ip 10.10.10.255.255.255.0
    set allowaccess ping https
    next
    end
     
    If this is not the right one, apology for my ignorance. :)

    Fortigate Newbie
    #3
    Jump to:
    © 2019 APG vNext Commercial Version 5.5