Automating FortiGate Provisioning with FortiManager Scripts and Templates

In modern network administration, speed, consistency, and scalability are crucial. As organisations grow, manually provisioning new network devices like FortiGate firewalls becomes a significant bottleneck. This process is not only time-consuming but also prone to human error, which can lead to security gaps and inconsistent configurations. This is where automation becomes a game-changer.

FortiManager, Fortinet’s centralised management platform, offers a powerful suite of tools to automate the provisioning of FortiGate devices. By leveraging scripts and templates, network administrators can transform a complex, manual task into a streamlined, repeatable, and highly efficient process. This guide provides a comprehensive look at how you can use these features to automate FortiGate provisioning.

Why Automate Provisioning? The Benefits are Clear

Automating FortiGate deployment with FortiManager offers several compelling advantages:

• Consistency and Standardisation: Templates ensure that every new FortiGate is configured according to your organisation’s baseline security policies and standards. This eliminates configuration drift and strengthens your overall security posture.
• Rapid Deployment: What once took hours can be accomplished in minutes. Automation allows you to provision new devices for branch offices or network segments with incredible speed.
• Reduced Human Error: Manual configurations are susceptible to mistakes. Automation removes this variable, ensuring that deployments are accurate and reliable every time.
• Scalability: Whether you are deploying ten devices or a thousand, an automated process handles the scale effortlessly. This is essential for growing businesses and large enterprises.
• Operational Efficiency: Freeing up network engineers from repetitive provisioning tasks allows them to focus on more strategic initiatives, such as security analysis and network optimisation.

The Core Components: Scripts and Templates

FortiManager uses a combination of templates and scripts to achieve automation. It’s helpful to understand the role of each.

• Templates: Templates are used to define a standard configuration that can be applied to multiple devices. They are ideal for setting up common objects like firewall policies, addresses, services, and security profiles. You can create a “base” template for all devices and then more specific templates for different roles or locations.
• Scripts: Scripts are used for more dynamic or device-specific configurations that cannot be handled by templates. They typically use the FortiGate Command Line Interface (CLI) syntax. Scripts are perfect for tasks like setting the hostname, configuring interface IP addresses, or setting up static routes which vary from one device to another. FortiManager scripts can use variables to make them reusable.

A Practical Guide to Automating Provisioning

Here’s a step-by-step approach to using FortiManager for automated provisioning.

Step 1: Prepare Your Building Blocks

Before you start deploying, you need to create the necessary templates and scripts.

Creating a Configuration Template:

1. Navigate to Device Manager > Provisioning Templates.
2. Click Create New and give your template a descriptive name (e.g., Standard-Corporate-Policy).
3. In the template editor, you can define firewall policies, security profiles (Antivirus, Web Filter, etc.), and other common settings.
4. Build out the configuration that should be standard across all targeted FortiGates.
5. Save the template.

Creating a CLI Script:

1. Go to Device Manager > Scripts.
2. Click Create New > CLI Script.
3. Give the script a name (e.g., Set-Hostname-and-IP).
4. In the script editor, write the necessary CLI commands. Use variables for device-specific values. Variables are denoted with $(variable_name).
   Example Script:config system global
   set hostname $(hostname)
   end
   config system interface
   edit “wan1”
   set ip $(wan1_ip) $(wan1_mask)
   next
   end
   config router static
   edit 0
   set gateway $(gateway_ip)
   set device “wan1”
   next
   end
5. Save the script. FortiManager will prompt you to define the variables you used (hostname, wan1_ip, wan1_mask, gateway_ip).

Step 2: Combine Templates and Scripts in a Device Group

Device groups are essential for applying configurations to multiple devices at once.

1. In Device Manager, create a new device group or use an existing one.
2. Assign your provisioning template to the group. Right-click the group, select Provisioning Template, and choose the template you created.
3. This makes the template the default configuration for any device added to this group.

Step 3: Add a New FortiGate to FortiManager

When a new FortiGate comes online, you need to add it to FortiManager to be managed. This can be done manually or using pre-authorised keys.

1. On the new FortiGate, configure the central-management settings to point to your FortiManager’s IP address.config system central-management
   set type fortimanager
   set fmg “YOUR_FMG_IP”
   end
2. In FortiManager, go to Device Manager. An “Unregistered Device” notification will appear.
3. Authorise the device and add it to the device group you configured in Step 2.

Step 4: Run the Provisioning Script

Once the device is in the group and has the base template applied, you can run the device-specific script.

1. In Device Manager, right-click the newly added FortiGate and select Run Script.
2. Choose the CLI script you created.
3. FortiManager will now prompt you to enter values for the variables (hostname, wan1_ip, etc.) for this specific device.
4. Enter the required information and execute the script.
5. FortiManager will push the configuration to the FortiGate.

Step 5: Install and Verify

After the script runs, you need to install the configuration changes.

1. Go to the Install Wizard in Device Manager.
2. Select the device and review the changes. You will see the configurations from both the template and the script.
3. Install the configuration to the device.
4. Once the installation is complete, log into the FortiGate’s GUI or CLI to verify that the hostname, interface IPs, and other settings have been applied correctly.

Troubleshooting Common Issues

Even with automation, you might run into problems. Here are a few tips:

• Script Fails to Run:
  • Syntax Errors: Double-check the CLI commands in your script. Test them directly on a FortiGate to ensure they are valid.
  • Variable Mismatches: Make sure the variable names in your script exactly match those defined in FortiManager. They are case-sensitive.
• Template Fails to Apply:
  • Firmware Mismatch: Provisioning templates are often tied to a specific FortiOS version. Ensure the target FortiGate is running a compatible firmware version.
  • Conflicting Local Configuration: If a new FortiGate has a pre-existing local configuration that conflicts with the template, the installation may fail. It’s best practice to start with a factory-reset device.
• Device Fails to Register:
  • Connectivity Issues: Confirm there is a clear network path between the FortiGate and FortiManager on TCP port 541. Check any intermediary firewalls.
  • Incorrect FortiManager IP: Verify the set fmg command on the FortiGate points to the correct IP address.

By mastering FortiManager’s scripts and templates, you can create a robust, automated provisioning system. This not only saves valuable time and resources but also builds a more secure and consistent network infrastructure, allowing your organisation to scale with confidence.