Fortinet FortiZTP how to setup guide / FortiLAN Cloud / FortiGate Cloud / FortiManager

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
perfect all right uh hello my name is Simon Chen I'm one of the uh sales Engineers over here at fordnet with me I have Alex pavlot we are going to be doing a zero touch provisioning SC challenge so um couple of disclaimers um in an Ideal World when you're doing zero trust provisioning especially for a customer um there will be a large set of equipment Um this can be a combination of 40 Gates 40 switches and 48ps all of those devices usually have a sticker on them which has the 40 Cloud key which is required to load those assets onto the uh the customer's account in order to make that process a lot easier and smooth streamlined and smooth we have um we have a separate SKU called 40 deploy which Aggregates all of the forwarded Cloud keys under a single key and then that forward deploy key then can be loaded onto a customer's 40 cloud account populating all of the assets that are falling under that key otherwise what ends up happening is you have to wait for the products to arrive load those keys in order to have those assets show up and then provision them which sort of defeats the purpose of zero touch provisioning so through the usage of 40 deploy you're going to get that key before the product even arrives load those assets provision those things so the moment that uh those Solutions are plugged in and it has internet access they will be provisioned properly um we internally do not have the ability to require get afforded deploy key it just doesn't work that way so we are going to try to replicate what we are we are going to do is alternatively um we have a device uh with the 40 Cloud key we receive um we're going to load the key first to replicate the process of getting the for the deploy key in that Ideal World it should populate fairly quickly we're going to be able to provision and customize things utilizing I think we're going to use either 40 manager or 40 uh 49 cloud and then and then plug in the device so it has internet connectivity to reach out to the Florida guard servers and know how the uh communication should be able to look so that that's the general summary of like how things are going to go so um is there anything you wanted to add Alex um once you do get it uh provisioned within 40 ztp um it should start checking into whatever um management device that you've chosen could be fortigate Cloud could be 40 manager uh or 40 manager Cloud um once it does actually get checked into there um it can be automatically assigned to like templates or pre-done configurations so it would download those configurations and then automatically apply those so that's that's what the whole process looks like I just sort of wanted to add that on the first thing that a device our Solutions do usually when they connect to the Internet is try to reach out to four guard servers and then usually photograph service is instructing where that management solution is going to be to Alex's Point whether it's Ford manager VM for the manager cloud or you know Florida gate Cloud whatever it is yeah so cool I think we're good yeah I think we can go ahead and start so right now uh we have we have a solution um that we received um we did not load the 45 key or anything like that so if we check for for the ztp or Asset Management it's not there at all um so we're gonna log in just double check and verify it's not there and then as I mentioned before because we can't do four to deploy but we can pre-load the forwarded Cloud key and replicate it as if we haven't received it we're going to go through that process nothing shows up in the IC manager go into the 40 cloud account to access 40ctp obviously if you look at the unprovisioned there's some devices but none of the one that we specifically ordered for specifically for this SC challenge it doesn't really matter all that much because like I said the whole point of the process is that it shows up and populate so whether that's through the serial number or the for the deploy key it really doesn't matter because it still functions the same way in that it will show up on the asset list um yeah I feel like it should be serial because the 40 deploy key that is claiming serial numbers in bulk correct yeah on the back note yeah their serial numbers Associated to the 40 uh it's not claiming the the cloud Keys correct but you do do the 40 deploy bulk skew in the 40 gig Cloud okay well I guess it shows up here I don't know that's really weird okay um I think it okay I'll I'll add it later do because I do have a support con it needs support on it to yes go to zdb so let me look that up really quick I I have that all right registration is complete okay so let's just double check and let's see if it's on the product list for my assets I guess yeah my assets uh yeah yeah that's right that's the one right a23 yeah yeah uh click go to my assets just real quick on the left hand side um where are you going from here uh go to 14ctp and just show up there was it that one yes um so what you can do here is uh you can check my checkbox supporters uh what your favorite number of devices um in a given location or whatever or you can do a fleet of them check it and then you will hit uh um uh choose to provision it to a specific thing so um if you actually go to the settings on the right hand side you can see some of the options that would theoretically be available to you um so uh that that is something you could double check so on the top right middle-ish if you hit the settings button these are just all the options so obviously for the gate it'll give you 40 manager 48 cloud or 40 manager Cloud for the aps I believe it's 40 Lan Cloud um and then yeah you can you can tie it if you have a remote 40 gig VM you can specify all that information so you can pre-populate all of the provisioning targets uh for that these devices are going to be loaded up to into right here so but once your checkbox and highlight specific on provisioned devices you will get that provision button pop-up uh uh uh that Alex was showing off there are additional disclaimers to be aware of when loading the four to deploy bulk Keys you might have a combination of 40 Gates only uh 40 gates with 40 EPs and 40 switches maybe just four to APS and 40 switches depending on what your needs are if you are loading them in um ideally you're going to be going through your 4D cloud account for uh for your 40 Gates you're gonna get use the afford to deploy bulk key in the 48 Cloud section in so when you're registering it you're doing that as normal if your environment would be just APS and switches you would go into the asset management portal that Alex is showing off right now just go there um go into the product section or the register Now button put in the key and then all of them would populate either way whether you're using 40 Cloud asset management or 40gate Cloud whichever combination of products you ultimately have the Ford deploy bulk key will work and it will populate under your specific account so if you're doing just 40 Gates exclusively with for deploy key this is that view that Alex is showing off right now you would go into 48 Cloud type in the for the deploy key and then going from there obviously for our use in this particular SC challenge we can't get the for the deploy key so what we've done is we've replicated the process by acting as if we have registering the device but for the device actually arrives on site and connecting so it has uh um the ability to reach the internet and therefore our photograph services so we've already done that process uh uh right here so I think it's uh I think it's at the bottom or uh right here so right there yeah so as Alex is hiding the Ford switch is already loaded into our asset and because it's loaded into our asset if we go into the Florida ztp portal it should therefore already be ready for selection um it'll just be under the unprovisioned tab so you can access it directly from the forwarded Cloud portal you just need to do the drop down um and as you can see here there are other devices that are unprovisioned but the one we specifically care about is the one that we just loaded in which is that 40 switch which is unprovisioned if you select it you will have the ability to provision to a specific Target it might be a singular one or it might be a multiple I think in Alex's environment environment there are multiple provisioning targets that he can theoretically choose from um so in this situation he can provision it to 40 Lan Cloud because this particular switch actually has 40 Lan Cloud licenses associated with it um if Alex if you don't mind unhighlighting that switch if you you'll want to see all of the provisioning options that are theoretically available from a product standpoint you would click on the settings section um and the settings will let you know for the 48 if you wanted to provision it you can provision to your own Florida manager VM which and then you would uh specify where that is the Florida gate Cloud if that's the method you're choosing or the 40 manager Cloud for the four to eight PS uh it's gonna be pretty straightforward you're going to be doing it to the 40 Lan cloud and then for the 40 switches um it will be either through the 401 Cloud the reason why the 40 switches in Florida EPS won't not necessarily show up with the 40 gate uh 40 manager or anything like that here is because if you're plugging them in directly into the 40 gate the Florida gate will automatically gain control of the 40 APS and 40 switches so you have the ability when you're provisioning the 40 gig from here it'll provision automatically the Ford switches and 48 piece so pretty straightforward for the most part in this particular example though Alex has the 40 Lan Cloud associated with this uh with this particular switch so that's what we are going to ultimately do and then in here you're obviously just picking like the data center um that it's checking into so pick based on geograph location just pick which one is applicable to you so The provisioning Works um I think it'll take a quick second to refresh once it does if you go into the provision section that switch with theoretically populate and as you can see it's right there automatically so you can do that and right now we are just assuming that the device has not arrived at the location so what we can do is we can actually go into the 40 Lan Cloud dashboard we can see that the switch is already there make changes provision it to our liking and the moment that the switch would theoretically Connect into uh the internet you would have the ability to already pre-load all those configurations onto that device itself yeah and as you can see here now um I am showing my 40 Lane cloud account and you can see that the switch is now in my inventory um it's showing as offline once it hasn't arrived yet we were just assuming it hasn't arrived yet and it's not yet um once it is in your inventory now you can start assigning it um to specific networks within 49 Cloud um and you can uh put tags on it to tag it to specific templates and assign it configurations so then once it does connect up to the internet and it can connect to 40 link Cloud 40 line Cloud will push down the applicable configurations to it based on how you've tagged it yep um do a lot of the pre-work ahead of time and it's true zero touch provisioning really yes you can see the entire the entire process here for getting a uh 40 deploy key claiming that key whether it's in uh 40 40 gig cloud or if it switches or access points directly into your asset management once you've claimed that coming into 40 ztp portal once it's in your unprovisioned section provisioning it to whatever Management console that you're using whether that's 40 manager 40 manager Cloud for the gate Cloud uh or 40 Lan Cloud yep so I just did want to touch on um once this does get provisioned and um allocated to the 409 Cloud what the actual provisioning looks like within a 40 line Cloud um so this is going to be the global view um from your 49 cloud account and you can see that this switch is in our devices here um coming back to the dashboard this is going to be all of your networks that you've created in here typically you're going to have a network for each location that you have I only have one location so I just have one network so if we come into this specific Network here and then we come under uh switches and then uh switch and then switches um this is where my one of was provisioned uh This was done automatically for me uh scientific Network because I only have one so automatically just added it to this network um once it is within this network um under your configuration options we have zero touch config tab right here and then this is where you're actually going to be assigning it uh the specific configurations you want like uh the vlans are allowed on which Port um if it has any like layer 3 routing to be done on it um so I did create a template here already for it but if you just click the add button this is where you're gonna actually uh create your template for your devices you can do this based on tag so you can um assign a tag to switches and then based on whatever tags assigned to it it would get pushed a configuration file um we can also do this uh based on uh model which is another really good use case so if you're adding uh specific models each model will have a specific config to it a little bit easier way of doing it than assigning tags to all the different switches that you have so this is the route that I chose so I went with model you just sort of pick which model that's going to be applied into your 409 Cloud so we have a 108f we're going to apply this based on whenever it is first checked in to 40 land Cloud so right when it checks in it's going to be sent this you could also do it on a schedule uh if you wanted to um you can assign it a specific firmware that you want to run on so you have all the different firmware options and then this is where you're going to get into like the nitty-gritty of the config so you can do it via CLI if you wanted to uh if you want to use the GUI you just click on GUI and then this is where you're going to be doing all of your configurations for the for the switches so if you come into interfaces um and then we click the add button uh so we can apply this uh to a single port you can select multiple ports to assign uh vlans to so if we're just doing like VLAN uh Port one we're just gonna use it on Port one this is where you're going to be assigning it the uh for Fortinet terminology the native VLAN ID for Cisco terminology this would be the access VLAN so if we our networks running on VLAN 100 this is where you assign the port to this VLAN uh you can do a little bit of trunking stuff with a loud vlans untagged vlans and so on and then we have a couple different options within this um you can disclude some serial numbers from doing it from getting this configuration so if we're doing this based on model so all 108fs are going to get applied to this but then you have one specific switch that is an outlier um in terms of this template you can exclude it from this and then you just go ahead and click save and that's basically all you need to do so now once this switch gets provisioned and it gets assigned to this network it's going to see that um this is a 108 F so it will apply this template to that switch once that switch checks into 40 40 land Cloud it would get pushed down this configuration yep and as you can see on the right hand side the status is off right now you'll just enable it and then choose to uh action you know to automatically have switches when they connect to receive these configurations yep and you also can have as you can see here you can have multiple zero touch configurations done so if we have different models you can just create another one for whichever model that you are applying here yep uh any final comments that you have Simon uh we because uh the devices do need to reach out to our photoguard servers in order to make this possible you do need internet connection at your location uh and uh the ability to you know you know establish communication to our quarter guard servers to understand which provisioning Target needs to go to so just understand that internet is required for this so perfect thanks guys uh thank you for taking the time to watch the video uh any other questions comments or any assistance as needed um just go ahead and throw a comment in here and we'll go ahead and help thanks
Info
Channel: Alex Pavlock
Views: 1,390
Rating: undefined out of 5
Keywords: Fortinet, FortiZTP, FortiGate Cloud, FortiLAN Cloud, FortiManager, FortiManager Cloud
Id: wp_geAuS3vo
Channel Id: undefined
Length: 20min 5sec (1205 seconds)
Published: Fri Aug 25 2023
Related Videos
FortiSwitch FortiAP demo
Alex Pavlock
2.4K
FortiGate 7.0 - How to Add a Managed FortiSwitch
Imperion
32K
FortiGate Remote Access VPN Configuration
SinaOnline
31K
Fortinet FortiClient/FortiEMS/FortiGate using ZTNA tags to reach RDP server how to guide
Alex Pavlock
14K
IPSec VPN Tunnel Between Fortinet FortiGate and Cisco Meraki MX - Configuration and Troubleshooting
Alex Pavlock
4.5K
Fortinet FortiGate and FortiAnalyzer Integration Slack + Microsoft Teams automated notifications
Alex Pavlock
1.1K
How to configure SD-WAN in FortiGate Firewall
IgoroTech Official
18K
FortiSASE Private Access Setup Guide
Alex Pavlock
4.5K
Fortinet FortiAP's- How to form a wireless mesh network to extend your WLAN
Alex Pavlock
3.8K
How to configure FortiGate's built-in NAC functionalities
Exclusive Networks BeLux
2.3K
Simple and Scalable Wireless Management in the Cloud with FortiLAN Cloud
Tech Field Day
1.7K
FortiGate Initial Setup & FortiCloud Connectivity
Doctor Networks
6.4K
Connecting Fortinet FortiAP to FortiLAN Cloud
Alex Pavlock
3.3K
FortiManager and FortiAnalyzer Overview (FortiOS 6.2.3)
Fortinet Guru
69K
Configuring VLANs, Firewall Rules, and WiFi Networks - UniFi Network Application
Techno Tim
208K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.