Fortinet black logo

SD-WAN Deployment for MSSPs

Home FortiGate / FortiOS 7.0.0 SD-WAN Deployment for MSSPs
7.0.0
7.2.0
7.0.0
6.4.0

Device groups and provisioning templates

Device groups and provisioning templates

As described in Model devices, a model device behaves similar to any managed device in FMG. Therefore, the configuration could be done on a per-device basis, using Device Manager.

However, we strongly discourage you from using a per-device method when configuring your Secure SD-WAN Solution. Interactive per-device configuration using Device Manager quickly becomes unacceptable, as the number of sites grows. It cannot be easily replicated to other devices (or to other environments).

For this reason, we recommend relying on the two crucial entities in the FMG:

  • FGT devices should be grouped into device groups, representing the different types of sites in your project.
  • The right set of provisioning templates should be assigned to each device group. These include System Templates, Certificate Templates, SD-WAN Templates, CLI Templates, and so on, and will be described in more detail throughout this document. The templates generalize the configuration that will be provisioned on your FGT devices.

The amount of ad-hoc per-device configuration should be reduced to the minimum: it should be limited mainly to setting per-device meta fields (variables) and assigning the device to the right device group, which will automatically lead to the assignment of the right set of provisioning templates.

Note

The use of device groups and provisioning templates is always encouraged, whether or not you are planning to use zero-touch provisioning. Good reusable templates are the key for a successful large-scale Secure SD-WAN deployment!
Previous
Next

Device groups and provisioning templates

As described in Model devices, a model device behaves similar to any managed device in FMG. Therefore, the configuration could be done on a per-device basis, using Device Manager.

However, we strongly discourage you from using a per-device method when configuring your Secure SD-WAN Solution. Interactive per-device configuration using Device Manager quickly becomes unacceptable, as the number of sites grows. It cannot be easily replicated to other devices (or to other environments).

For this reason, we recommend relying on the two crucial entities in the FMG:

  • FGT devices should be grouped into device groups, representing the different types of sites in your project.
  • The right set of provisioning templates should be assigned to each device group. These include System Templates, Certificate Templates, SD-WAN Templates, CLI Templates, and so on, and will be described in more detail throughout this document. The templates generalize the configuration that will be provisioned on your FGT devices.

The amount of ad-hoc per-device configuration should be reduced to the minimum: it should be limited mainly to setting per-device meta fields (variables) and assigning the device to the right device group, which will automatically lead to the assignment of the right set of provisioning templates.

Note

The use of device groups and provisioning templates is always encouraged, whether or not you are planning to use zero-touch provisioning. Good reusable templates are the key for a successful large-scale Secure SD-WAN deployment!
Previous
Next