You can use this feature only when the FortiGate boots up from factory reset. This feature is for FortiGate devices that cannot access the Internet.
A DHCP server includes option 240 and 241 which records FortiManager IP and domain name. FortiGate has an interface with the default DHCP client mode that is connected to the DHCP server in the intranet.
The FortiManager admin can authorize the FortiGate the specific ADOMs and install specific configurations on the FortiGate.
In the whole operation, you do not need to do any manual configuration on the FortiGate except connect to the DHCP server. This is called zero touch deployment.
To prevent spoofing, if a different FortiManager IP comes from the DHCP server later, FortiGate does not change the central management configuration.
config system dhcp server edit 2 set dns-service default set default-gateway 172.16.200.254 set netmask 255.255.255.0 set interface "wan1" config ip-range edit 2 set start-ip 172.16.200.201 set end-ip 172.16.200.209 next end set timezone-option default config options edit 1 set code 240 set type ip set ip "172.18.60.115" next end next end
- Boot the FortiGate in factory reset.
G201E4Q17901047 # diagnose fdsm fmg-auto-discovery-status dhcp: fmg-ip=0.0.0.0, fmg-domain-name='', config-touched=0
config-touched=0means no configuration change from the default.
- When FortiGate boots in factory reset, it gets the DHCP lease including IP, gateway, DNS, and the FortiManager IP/URL. Central management is automatically configured by using FortiManager IP in option 240.
FG201E4Q17901047 # show system central-management config system central-management set type fortimanager set fmg "172.18.60.115" end
- If FortiGate changes from factory reset, you can see it in central management in
FG201E4Q17901047 # diagnose fdsm fmg-auto-discovery-status dhcp: fmg-ip=172.18.60.115, fmg-domain-name='', config-touched=1(/bin/dhcpcd)
Example of a spoofing DHCP server with a fake FortiManager IP
config options edit 1 set code 240 set type ip set ip "172.18.60.117" end
After FortiGate reboots and gets DHCP renew, central management will not use the fake FortiManager IP because
config-touched=1 shows that the FortiGate is not in factory reset.
FG201E4Q17901047 # diagnose fdsm fmg-auto-discovery-status dhcp: fmg-ip=0.0.0.0, fmg-domain-name='', config-touched=1(/bin/dhcpcd) FG201E4Q17901047 # show system central-management config system central-management set type fortimanager set fmg "172.18.60.115" end