After my recently doing some exploration of HPE/Aruba ZTP, I found myself truly captivated by the potential of FortiGates doing Zero Touch Provisioning.
I’ve been contemplating a solution that involves deploying a bootstrap server for remote site installations. Whether dealing with clients or servers, this approach is a network boot environment, which can be seamlessly delivered through a micro-server, Raspberry Pi, or even a USB boot stick to initiate the DHCP server’s boot process.
The process of booting and retrieving configurations from a networked server is well-supported by HP/Aruba switches.
However, as I explored the idea of replicating a similar workflow with FortiGate devices, I soon realized that this would require having a reachable FortiManager. The FortiManager’s address can be communicated via a DHCP Vendor Option to the Firewall. This requirement can pose a significant challenge, particularly in network installations where a Wide Area Network (WAN) connection is lacking, such as in remote locations or environments with no internet connectivity at all. In branch locations, establishing connectivity to a data center might involve the need to have an IPSec VPN Tunnel up on the FortiGate, but the Gateway still needs to be installed.
I would highly appreciate it if Fortinet would consider implementing a feature that allows the firmware to initiate the boot process. It would be especially beneficial if this feature could also be backported to FortiOS 6.0. In this proposed scenario, the firmware would automatically query a DHCP server on one of its interfaces to acquire the necessary TFTP server information and configuration file. Naturally, it’s essential that this feature is designed to deactivate itself automatically after any configuration changes are made.
Until such a feature becomes available, one potential solution lies in the implementation of an automated installation using a USB stick. This USB stick would contain both the necessary firmware and configuration settings, potentially serving as an effective workaround for this challenge.
So, what could this solution look like?
Fortinet indeed offers support for auto installation via USB sticks. However, when you insert the USB stick into a Linux server, it raises the question of whether the USB stick is new or has been previously used. To ensure that it can be safely prepared for auto installation, we must conduct checks to detect the presence of a partition on the stick, and if a partition exists, we need to scrutinize its contents.
To streamline this process, Ansible can be leveraged to produce this USB Stick. With some information available on the staging server, Ansible can generate the necessary configuration using a Jinja2 template. Following that, the USB stick can be formatted with a FAT32 partition to accommodate the FortiGate installation.
However, this process requires customization of systemd to detect newly connected USB drives and execute the necessary actions to determine whether they can be reformatted with a FAT32 partition. Furthermore, the essential files can be transferred to the USB drive.
The complexity grows when dealing with firewall clusters or multiple firewalls. Ensuring that the firmware image on the stick aligns with the firewall hardware becomes paramount, as there is no one-size-fits-all image. Similarly, the configuration file must precisely match the firewall hardware to define all the necessary interfaces. A possibility would be to put a file on the USB drive, the file could be named “format-me.yml” and could contain the necessary information to create the config file.
This naturally leads to the question of how to notify the user when the USB stick is ready or if an error occurs. Additionally, ensuring that the stick is inserted into the correct device without any mishaps presents another challenge that demands some additional thoughts.
USB auto install
Description: Configure USB auto installation.
config system auto-install
set auto-install-config [enable|disable]
set auto-install-image [enable|disable]
set default-config-file {string}
set default-image-file {string}
end
https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-perform-zero-touch-provisioning-with/ta-p/197623
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Automatic-installation-of-Firmware-and-system/ta-p/197938
https://docs.fortinet.com/document/fortigate/6.2.1/cli-reference/102620/system-auto-install
Photo by Jordan Harrison on Unsplash
Patrick Marc's Networks 