To perform Zero Touch provisioning, the device must be properly licensed, the license is always linked to a company's e-mail and to a UUID, this step is essential because the approval and confirmation of the provisioning is sent by e-mail, in addition because all provisioning is tied to the UUID of an appliance.

In addition, for Zero Touch provisioning to work, it is mandatory to have a valid link configured in order to reach the Blockbit license portal in order to validate this license.

Before you configure provisioning, you must have created a Device Template or Policy Package to add to the device during provisioning.


As the GSM policies that are in the header have priority over those of the UTM, It is recommended that when creating a policy package to be used in provisioning, that they are created in the footer for security so that they do not overwrite important permissions of the UTM policies.


When deploying using a policy that uses QoS, it will be necessary to activate the WAN interface in Network - Traffic Shaping, otherwise the policy will not work.


Through the button “Create Device” it is possible to create a new device for provisioning. To access, follow the steps below:

1. Click on the “Create Device” option;


Provisioning – Create Device


2. The "Device" window is made up of the "General", "Network" and "Certificate" tab. When adding a device for provisioning fill the fields with the device settings, basically as if you were going to install a UTM normally. Complete the fields as shown below:


Create DeviceDevice - General


  • Name: Device Name. Ex.: Provisioned Device;
  • Company: Defines the company name. Ex.: Blockbit;
  • User Admin: Enter the same administrator user that was registered during the installation of UTM. Ex.: admin;
  • Password: Enter the password registered during the installation of UTM. This password must be at least eight characters long, contain upper and lower case letters and special characters. Ex.: q1W@e3R$;
  • Device Template: Through this field, it is possible to add the templates created in Device Template for this device;
  • Policy Package: Through this field, it is possible to add the policy packages created in Policy Package for this device;
  • UUID: Enter the UTM's unique identification code, it can be found on the Dashboard - System in the widget license;
  • Description: Device description. Ex .: Provisioned Device Settings.


3. After filling in the fields on the "General" tab, fill in the fields on the "Network" tab, as shown below:


Create DeviceDevice - Network


  • Hostname: Defines the Hostname. It can be anyone as long as it complies with the FQDN - Fully Qualified Domain Name. Ex.: GSM;
  • Language: Select the default languageEx.: English;
  • Timezone: Select the time zone. Ex.: America/Sao_Paulo;
  • Gateway: Sets the default route for the network. Ex.: 176.16.102.1;
  • Suffix DNS: Determines the domain of the network. Ex.: blockbit.com;
  • DNS Server: Defines the network or internet DNS server. Ex.: 176.16.102.161;
  • NTP Server 1: Sets the clock synchronization server. Ex.: a.ntp.br;
  • ETH[]: Activate the desired network interfaces by checking the checkbox;
    • IP Address: Inform which network address the settings will be applied to;
    • Net Mask: Inform which will be the netmask;
    • Network zone: Determine the Network Zone. By default, the default options are: LAN, WAN and DMZ;
    • DHCP Server[]: Enable this checkbox to distribute IP addresses as network devices request connection.


If an IP is defined on the eth0 port, when performing the UTM provisioning, the IP change will be applied replacing DHCP, thus requiring the user to access the IP defined on port 98.


4. After completing the fields on the "Network" tab, complete the fields on the "Certificate" tab, as shown below:


Create DeviceDevice - Certificate


  • Country: Defines the country. Ex.: BR;
  • State: Sets the state. Ex.: Sao Paulo;
  • City: Defines the city. Ex.: Sao Paulo;
  • Organization: Defines the company name. Ex.: Blockbit;
  • E-mail: Sets the administrator email. Ex.: user@blockbit;
  • Organizational Unit: Defines the department. Ex.: QA;
  • Expires (years): Defines the validity time of the certificate. Ex.: 10;
  • Hostname: Sets the FQDN for the certificate. Ex.: utm.blockbit.com.


5. To save changes, click [], otherwise click [] to close the window.


Saved successfully


When saving the settings, a confirmation email will be sent to the address that is registered on the Blockbit License Portal. You will need to click on the link that will appear in the body of the email to actually start provisioning itself.


Provisioning - Confirmation email


A confirmation email will be sent when authorizing provisioning, as shown below:


Provisioning - Provisioning confirmation


It is possible to track the progress of provisioning through the Status and Progress column in the Provisioning tab of the GSM, as shown below:


Provisioning - Provisioning progress


It is also possible to see the provisioning progress through the UTM interface that will be provisioned. As shown in the following image:


Provisioning - Provisioning in progress


This screen will be displayed in Portuguese or English according to the user's browser settings.


If provisioning is completed successfully, an automatic redirection to the login screen will occur, as shown below:


Provisioning - Redirect


When directed to the Login screen, it will probably not be possible to access the system immediately thanks to the completion of the provisioning settings, wait until the access has been released. During this stage it is extremely important not to disconnect the device. If the settings are still being made, a notification will be displayed blocking access when trying to log in. For a more accurate view of the progress of provisioning, check the Status and Progress column on the Provisioning tab of the GSM.


ATTENTION: When performing Zero Touch provisioning, DO NOT turn off the device before you are actually able to log into UTM. Check the Status and Progress column on the GSM Provisioning tab to get a more accurate view of the progress of the procedure. If there is a power outage at any time during provisioning, it is recommended to remove the provisioning that was made in GSM, access the CLI and use the rewizard command on the appliance, so that provisioning is restarted from the initial step and also to restart all installation settings that will be made in the UTM.


If provisioning is successful, the device will be displayed in the Inventory tab, in the same way as a manually linked device.


Provisioning - Device moved to Inventory tab


Upon successful completion of Zero Touch Provisioning, UTM will also automatically have the license validated, being administered by GSM in Central Management, with the deployment of Device Templates and Policy Packages defined in GSM applied.


After finishing configuring Zero Touch Provisioning, if you need to send logs to GSM, access the Settings menu, Administration option, Central Management tab in UTM, check the Enable Manager [] checkbox and configure the Manager Address field with the IP of the GSM logger.


If provisioning is not completed successfully, a panel with two buttons will appear:


Provisioning - Configure Provisioning


If provisioning does not occur because the DNS is unable to provide a valid path to the Blockbit License Portal, click on the button [] so that the panel illustrated below is displayed, it is possible to configure a valid IP so that the UTM can properly license.


ProvisioningAdd a valid IP


Through the option [] it is possible to make the configuration manually, when selecting this option you will be directed to the standard Wizard. This will also happen if the license has expired or expired, the user will be notified and directed to the normal Wizard. For more information on how to configure it, see the UTM Wizard configuration page.


If it is necessary to use the rewizard command on a machine that has already been provisioned, you must first remove it from the GSM Inventory tab.

That done, it will be necessary to create a new provisioning for the machine that has gone through the rewizard.

After these steps, the process is the same.


For more information about the columns on the Provisioning tab click this link for more information about batch provisioning, see this page.