Zero-Touch Deployment at Scale with FortiAP and FortiGate

I have been networking since ‘93 – Started life as a pissant network admin wrangler of PSTN muxes. The difference then was that everything was slower, noisier, and, frankly, less secure. Flash forward to today: after getting inspired by the Slammer worm as it left a wake of destruction (and learning a ton), I own a security company — PJ Networks — and recently helped three banks push through big zero-trust rollouts. I just got back from DefCon as well—still on a high from the hardware hacking village. But here’s what I really want to talk about: zero touch deployment with scale with FortiAP and FortiGate and why that’s where PJ Networks ops rocks.

Scaling Challenges

Alright. In theory, zero-touch deployment is a great idea. Press a button and bam — all your devices are up, configured and secure. But for anyone who has done this at scale, the devil is in the details.

When numbers are involved — and we are talking dozens, hundreds or even thousands of FortiAPs and FortiGates! — some old pain points start to emerge:

• Diversity of devices: different models, hardware revisions, firmware/software versions… All must speak the same language.
• Network topology: Layering sites and VLANs and VPNs—oh my, they all have to be different, and each of them cries out for the loving embrace of your config.
• Security posture consistency: You’re not letting slapconfig’d configs through the door when your goal is zero trust.

This is where we’ve discovered that you really gotta prep your surroundings. Enter Fortinet’s FortiAuthenticator which, as you’d suspect, is the gatekeeper here, the one that does the heavy lifting of managing authentication and provisioning, so that your NOC doesn’t have to. However, we don’t simply roll out FortiAuthenticator here at PJ Networks; we wrap the entire environment around it.

Zero-Touch Overview

Zero-touch provisioning (ZTP) is in the name—you take the device out of the box, plug it into the network, and it provisions itself. No sweat, no sweat.

With FortiAP and FortiGate, a perfect traffic flow would be:

1. The device comes up and asks for configuration from FortiAuthenticator.
2. The device is verified by FortiAuthenticator with a certificate.
3. It downloads the corresponding configuration template from the device.
4. Device installs configuration and connects to network with no human intervention.

But, here is the kicker — this assumes masterful config templates and a flawless back-end pipeline.

Configuration Templates

Templates are like the recipe in your kitchen; if they’re off by a pinch, the whole thing could flop. At PJ Networks we remain super alert at this stage.

Here are some highlights from my experience:

• Templates consist of all security policies, routing, VLAN tagging, device idiosyncrasies.
• We apply stringent zero-trust standards – which burst the myth that every device is trusted end-to-end.
• Version control is vital – we use git repos to keep track and back-out/config changes easily.

And yes, at times it feels as if you’re coding the secret sauce to the perfect curry here — but it’s worth it.

Rollout Best Practices

This is where the rubber meets the road — and where many projects fail. This is what PJ Networks followed based on experience in the field providing solutions to financial services firms and other businesses:

• Take baby steps: Have a manageable size of devices and try the rollout on a single site.
• Automate as much as possible: Utilize DevOps pipelines for CI/CD of config templates.
• Asset tagging & inventory: The Honeywell protocol CMS requires that each piece of hardware is tagged and tracked in our central system – it makes remote troubleshooting a breeze.
• Remote NOC provisioning: Our ops team can push new updates and monitor devices from a centralized command center deep in the bush, or from the nearest local Timmies.
• Test rollback scenarios: You won’t get it right the first time. Always have a fast path to fallback in case of bad config.

And in case you’re curious — manual overrides are always possible, but as a last resort.

PJ Networks Ops

Here is where I start to feel a bit of pride — and possibly a bit biased. PJ Networks doesn’t stop at doing the zero-touch deployment heavy lifting; we engineer the entire lifecycle, from logistics to ongoing operations.

• We create network templates enriched with security best practices and zero-trust policies.
• Our DevOps pipelines support test automation, source versioning, and staged rollouts.
• Asset tagging? Handled. Every FortiAP or FortiGate is delivered pre-provisioned and automatically traceable.
• Remote deployment and management from our NOC assures rapid incident response with little to no downtime.

I’m not pretending this is all plug-and-play — there are a lot of moving parts. But decades of combined experience allow us to tame the complexity.

Results & Metrics

All right, let me throw some numbers at you — since that’s a language that cuts through in the boardroom:

• Reduce the deployment time by 70% against manual provisioning.
• A >90% decrease in configuration errors by standardizing templates.
• MTTR on incidents related to Fortinet gear cut to less than 30 mins from remote NOC ops.
• Banks we contacted did not experience any service disruptions while they upgraded their security.

What does that mean? More uptime, less stress, and a better security stance.

Quick Take

If you’re pressed for time:

• Zero-touch deployment works, but only if you prepare smartly.
• FortiAuthenticator is the anchor to your provisioning.
• DevOps + asset tagging = peace of mind.
• Plan to iterate — and don’t forget to test rollbacks.

---

Here’s the thing. Zero-touch is not a silver bullet. Indeed, I start to roll my eyes when I hear buzzwords like AI-powered stamped on security products in an attempt to use it as a panacea. The real deployment issues require both human skill and strong automation to work hand in hand.

I’ve had my fair share of goofs—one time I attempted to push a config that left us locked out of a remote site for a few hours. Learned a lot (I triple check templates before pushing now). But those were formative experiences for PJ Networks ops and how we provide secure, scalable zero-touch provisioning for Fortinet devices.

So if your org’s grappling with deployment headaches at scale, don’t just get the shiny! Construct your zero touch workflow with care. Recruit people who know more than networks, who also know security, logistics and automation.

And hey — pour yourself a third cup of coffee, and know that, trust me, PJ Networks can make your life easier managing a zero-touch deployment less about pain and more about speed and security.