Zero(ish) Touch Provision – Linking Configuration via FortiDeploy (FortiCloud)
To continue to build upon the theme around Zero(ish) touch provisioning with the FortiManager, I want to provide an explanation on the deployment method that truly does not need use interaction at deployment time to get the configuration applied to the FortiGate.
According to the FortiDeploy Datasheet there are some high level requirements associated with this solution:
- This functionality supports up to the 200 series FortiGate
- This functionality requires devices to be running FortiOS 5.2.2 or later
In addition to that, FortiCloud is able to manage the FortiGate directly from the cloud management user interface. However, in this article, the FortiDeploy method in FortiCloud will be used to redirect the FortiGate to the FortiManager for deployment. Before diving into the procedure, let me explain some of the basics around FortiDeploy.
In order for the FortiCloud to manage a FortiGate, it can become aware of the FortiGate by one of the following methods:
- FortiGate FortiCloud Key
- FortiGate Bulk Key
- FortiCloud Logon
FortiGate Cloud Key
Whenever you order a new FortiGate, there is a sticker with a FortiCloud Key affixed to the top of the unit. This key corresponds to the serial number assigned to the FortiGate and will register this unit to the FortiCloud account it is applied to.
Please note that this is a one-time use key and can only be redirected to the FortiManager once during the initial deployment of the firewall.
FortiGate FortiCloud Bulk Key
In the case where you want to add multiple FortiGates to the FortiCloud at one time, it may become very tedious to add them one by one via their individual FortiCloud Key. To address this, when ordering FortiGates, you can request to include the “FortiDeploy” bulk key SKU (FDP-SINGLE-USE) that will aggregate all of the serial numbers included into that purchase into a single FortiCloud Bulk Key which will add all of those FortiGates into the FortiCloud account at the same time.
Please note that this key is a multi-use key and will allow the FortiGate to be redirected to FortiManager each time it is reset to its factory settings.
Adding the FortiManager to FortiCloud
The process for adding the FortiGate to FortiCloud via a key method is very similar regardless of the type of key you are adding. Below is the procedure to add the FortiGate to FortiCloud:
1.Log into FortiCloud
2. Click “Inventory”
3. Click the drop-down “Deploy to FortiManager” | Select “FortiManager Setup”
4. Specify the “FortiManager IP/FQDN” and “FortiManager Serial Number” | Click “Submit”:
Adding the FortiGate to FortiCloud via Key
1. After returning to the “Inventory” page | Click the corresponding “Import FGT Key” or “Import Bulk Key” depending on which type of key you are importing:
2. Enter the Bulk key code for the FortiGate you want to manage | Click “Submit”:
3. Once the key has been accepted, observe that the FortiGate (validated by its serial number) shows up under “FortiGate Inventory”:
4. Select the FortiGate | Click “Deploy to FortiManager”:
5. Confirm the settings from dialog box | Click “Yes” to continue
Once this is completed, the FortiGate is ready to be deployed. At this point, the remaining steps are similar to those of the “Linking FortiManager via WebGUI” post with the exception of needing to manually configure the FortiGate to connect to the FortiManager.
There is not much in way of validation (that I am aware of) to show if the FortiCloud deployment is working. From what I can tell, the FortiGate shows registered to FortiManager within 5 – 15 minutes within obtaining Internet access. You can debug the process “forticldd” via the commands below to see the connectivity:
diag debug application forticldd 255 diag debug enable