Skip to main content

ZTP - Zero Touch Provisioning

Zero Touch Provisioning (ZTP) automates device configuration deployment across your OT network. Design network topologies in Helm, then ZTP generates and deploys device-specific configurations — eliminating manual setup and reducing human error.

How ZTP Works

  1. Design in Helm: Create network topology with device connections, VLANs, and security zones
  2. Generate Manifest: ZTP creates deployment manifests with device-specific configurations
  3. Register Devices: Scan device serial numbers (individual or bulk barcode scanning)
  4. Deploy Configs: ZTP pushes configurations to devices via multiple deployment methods
  5. Monitor Status: Track provisioning progress from pending to fully operational

Supported Device Types

Cisco Industrial Ethernet (IOS-XE)

  • Models: IE-3300, IE-3400 series
  • Config Templates: VLAN setup, port security, QoS, DHCP relay
  • Deployment: DHCP Option 67, per-port DHCP assignment

FortiGate DMZ (FortiOS)

  • Models: FortiGate 60F, 80F, 100F series
  • Config Templates: Firewall policies, VPN tunnels, security profiles
  • Deployment: FortiZTP Cloud integration

Linux Systems (cloud-init)

  • Platforms: Ubuntu Server, CentOS, Rocky Linux
  • Config Templates: Network interfaces, SSH keys, package installation
  • Deployment: PXE boot, USB provisioning

XCP-ng Hypervisor (kickstart)

  • Platform: Citrix Hypervisor, XenServer
  • Config Templates: Storage pools, network bridges, VM templates
  • Deployment: Network installation, kickstart files

ZTP Deployment Methods

MethodProtocolUse CaseDevice Support
DHCP Option 67TFTP/HTTPCisco switches, industrial devicesIE-3300/3400, managed switches
FortiZTP CloudHTTPSFortiGate firewallsFortiGate 60F/80F/100F series
PXE BootDHCP+TFTPLinux servers, HMI workstationsx86 systems, industrial PCs
Per-Port DHCPDHCPPort-specific config deliveryManaged switches with DHCP relay
cloud-initHTTP/HTTPSCloud instances, VMsLinux distributions

Manifest Lifecycle

Draft

  • Topology imported from Helm
  • Device list populated with MAC addresses
  • Configuration templates assigned
  • Manual review and validation

Ready

  • All devices have registered serial numbers
  • Configuration templates validated
  • Cable schedule generated
  • Ready for deployment

Deploying

  • Configurations pushed to devices
  • Real-time status monitoring
  • Rollback capability available
  • Progress tracking per device

Deployed

  • All devices online and configured
  • Operational status verified
  • Configuration compliance checked
  • Audit trail complete

Device Provisioning Status

StatusDescription
PendingDevice in manifest, awaiting serial registration
Serial RegisteredDevice serial number scanned and verified
Config GeneratedDevice-specific configuration created
OnlineDevice provisioned and responding to management
FailedProvisioning error, requires intervention

Serial Number Registration

Individual Registration

  • Scan device barcode or QR code
  • Manual entry for legacy devices
  • Automatic model detection
  • Serial validation against vendor databases

Bulk Registration

  • Import CSV files with serial numbers
  • Barcode scanner integration
  • Batch processing for large deployments
  • Error validation and duplicate detection

Cable Schedule Generation

ZTP automatically generates cable schedules from Helm topology connections:

  • Source/Destination: Device names and port assignments
  • Cable Type: Copper, fiber, power connections
  • VLAN Assignment: Per-port VLAN configuration
  • PoE Requirements: Power over Ethernet specifications
  • Cable Length: Estimated based on rack positions

Event Logging

All ZTP activities are logged for audit compliance:

  • Configuration Changes: Who modified what configuration
  • Deployment Events: When devices were provisioned
  • Status Updates: Device state transitions
  • Error Conditions: Failed deployments with error details
  • Access Logs: User actions and system activities

Integration with Other Modules

Helm Integration

  • Topology Source: Network design drives ZTP manifest creation
  • Device Placement: Rack positions and connections mapped to configurations
  • VLAN Design: Security zones translated to switch configurations

Manifest Integration

  • Device Inventory: ZTP populates asset database with provisioned devices
  • Configuration Management: Track device configs and compliance status
  • Lifecycle Tracking: Monitor devices from deployment to decommissioning

Gateway Integration

  • Config Push: Gateway deploys configurations to managed devices
  • Status Monitoring: Real-time feedback on provisioning progress
  • Secure Transfer: Encrypted configuration delivery

Getting Started with ZTP

  1. Design Your Network

    • Use Helm to create network topology
    • Define VLANs, security zones, and device connections
    • Set device types and configuration requirements

  2. Create ZTP Manifest

    • Import topology from Helm
    • Assign configuration templates to device types
    • Validate device list and requirements

  3. Register Device Serials

    • Use barcode scanner for quick registration
    • Import serial numbers from spreadsheets
    • Verify device models and capabilities

  4. Deploy Configurations

    • Select deployment method (DHCP, PXE, FortiZTP)
    • Monitor deployment progress in real-time
    • Verify device connectivity and configuration

  5. Monitor and Maintain

    • Track device status and compliance
    • Update configurations as needed
    • Generate cable schedules and documentation

  6. Audit and Report

    • Review deployment event logs
    • Verify configuration compliance
    • Generate provisioning reports for stakeholders