Zero-Touch Provisioning in Fortinet SD-WAN Deployments: A Practical Guide

I harken back to the early 90s – starting my days as a network admin in 93 – tussling with the beast that was PSTN for both voice and data. It was the days before everything was cloud this or AI that. Hell, I’ve come up against the Slammer worm — it was quite an education in network disaster recovery! Fast forward to today, now running my own security shop P J Networks, and here I am, buzzing from my trip to DefCon, still excited from the Hardware Hacking Village.

But enough history lesson. Related: Speaking of exciting (and far less horrifying) — Zero-Touch Provisioning (ZTP) in Fortinet-based SD-WAN deployments at scale. Especially since, like us, they’ve been asked to help roll these beasts out for big clients — including three banks that put in a zero-trust architecture not so long ago.

Automation Benefits

Here’s the kicker — manual provisioning at scale in big SD-WAN deployments just doesn’t work – it’s like hand-cranking every engine in a new fleet of cars. Yes, you can manually do it, but with all the burden on your team and the possibility of mistakes? Massive.

Automation through ZTP

• Rapid deployments, re-allocates your team to doing security and monitoring, and not babysitting box setups.
• Slashes human error. I can tell you that there have been more times than I can count in my career when I’ve come across a misconfigured ACL or poorly designed (read: insecure) VPN tunnel — and it ain’t pretty.
• Keep everything in sync across all your devices. We adhere to consistency at P J Networks. It’s the difference between dependable performance and a thousand helpdesk tickets.
• Scalable without increasing the workflow exponentially.

Except here’s the rub: Automation is no silver bullet. Your processes and templates need to be bulletproof.

Provisioning Workflow

Stay with me here — the provisioning begins with some basics:

• Devices are sent through distro at least factory reset as possible.
• Network access to your provisioning server * typically DHCP, TFTP/HTTP.

We in P J Networks use the ZTP feature of our FortiGate with Ansible playbooks as a workflow (more about that in the next paragraph’s explanation). The flow goes like this:

1. The device boots and retrieves its provisioning details
2. Contacts our central provisioning server
3. Great to use a baseline config from an Ansible playbook
4. Reports in success/failure back to our NOC for monitoring.

And yeah — this is not a script that you roll out and let go. It’s a living, breathing system, one that evolves with constant adjustments based on feedback from the field.

Template Management

It’s when we’re talking about templates that I get a bit nerdy, but I’m sorry: This is important. Templates are, by analogy, your recipe cards, made just right so cooks — your network devices — will produce the exact arrangement every time.

In P J Networks, we offer a layered template:

• Base template: Basic security configuration, logging, core interfaces
• Region customization: We provide localized rulesets to conform with local rules or client demand
• Service templates: VPNs, WAN opt settings, SD-WAN rules

Why layered? Because it reduces the pain of updates. Edit a deeply held security policy? Update the base template. Want to fine-tune QoS for a specific region? Hit that layer only.

We’re relatively big on using Ansible — if you’ve never met, she’s like a helpful sous-chef for automation. It is what makes it sane to push templates to 100s of FortiGates — even when you’re bouncing between 3 major clients.

Quick aside — I detest some AI-driven template generators on the market. Ever seen one barf out configs that break logging? Yeah, me too. If you are into talking to black boxes, yes. But I have faith in my own playbook, which is now fully codified and tested and debugged.

Remote Staging

The pandemic brought many changes, but one of them it accelerated was remote staging — putting singles and the like in digital spaces with no need for boots on the ground.

Here’s how we nail this:

• Devices send directly to Branch location (or warehouse)
• Plug them in. They’re basically as trained as a staff member with minimal training.
• Our systems kick in, auto-provisioning the gear via the net

So, no expensive travel or downtime. And no calls an hour before opening time that say, “that’s not working!”

But take care—remote staging can become a terrible nightmare without decent error handling (which is up in the next part). You’re flying blind.

Error Handling

No process is perfect, right? Automation can fall even when it has the best of intentions:

• Network hiccups
• Configuration mismatches
• Authentication failures

Our P J Networks NOC passively monitors the provisioning on a constant basis! Failure alerts equal we’re on it before the client knows something went sideways.

Here’s what we recommend:

• Centralized logging of provisioning
• Use the same staging environment
• Eliminate unnecessary differences with production
• Reduce the number of differences to realign with production
• Include all runtime configuration and resources
• Especially note inconsistencies.
• Automated notifications (Slack, email, pager—whatever you like)
• Rollback playbooks to return devices to a safe state if something went wrong

Once I learned this the hard way—forgot to test updated Ansible role before pushing. Result? Fifty FortiGates in a fun new bricked state (OK, config-bricked). Lesson: you should test everything in staging. Seriously, everything.

P J Networks Operations

Operating a big SD-WAN automation program needs real ops muscle behind it. Here’s how we’re doing it at P J Networks:

• 24×7 NOC team to keep an eye on provisioning
• Custom dashboards that produce queries on top of FortiGate telemetry and our automation logs
• When a problem arises, a human and a script takes over — 95 percent issues dealt with automatically, other 5 percent escalated.
• Template effectiveness and security posture checks on a periodic basis

And, because we’re me, there’s a bit of a personal angle:

Amidst managing client rollouts and DefCon buzz, I remind my crew always and often: never trust defaults. Default passwords? Ugh, don’t get me started. If I ever see a device come up enabled with a factory_admin, I wanna scream. That’s as if you left your front door wide open but nevertheless you don’t expect any burglars.

Zero-touch with Fortinet SD-WAN — it’s not just a convenience play. It’s all about creating a secure, resilient and scalable network fabric.

So if you’re looking to leap up from every team having access to a team account but not appreciating it and leave behind the old mantras of a compromised security model and insane frustration — this roadmap is for you. Sure, it’s not perfect. Not a one-size-fits-all. But when you run complex multi-site set-ups for high-stakes clients (banks, healthcare, etc) automation with some good governance is your best friend.

Summary Takeaways

• Create your automation flow with flexible layers of powerful templates
• Embrace tools like Ansible to codify and manage provisioning
• Buy into monitoring and alerting – you will thank yourself later
• Do not scrimp on error handling – be particular and thorough

And remember, all the automation in the world will not replace expertise. When in doubt: If you want something done right, know the tech inside out. Or call someone who does.

That’s P J Networks for you.

And now, it’s coffee No.

Keep safe out there — there’s no rest for networks or hackers.