15 Dec 2025

Zero-Touch Provisioning (ZTP) in Retail: Rolling Out Hundreds of Stores Without Engineers

Zero-Touch Provisioning (ZTP) fundamentally changes traditional deployment models by eliminating the requirement for technical staff at each location. Retailers can ship SD-WAN appliances directly to store managers who have no networking expertise.

Netify's guide to Zero-Touch Provisioning in Retail

Deploying SD-WAN across hundreds of retail locations presents significant logistical challenges. Traditional network equipment deployment requires coordinating engineer visits to each store, manually configuring devices on-site, and troubleshooting when errors inevitably occur during installation.

Zero-Touch Provisioning (ZTP) fundamentally changes this deployment model by eliminating the requirement for technical staff at each location. Retailers can ship SD-WAN appliances directly to store managers who have no networking expertise. When the device powers on and connects to the internet, it automatically discovers the vendor's cloud controller, downloads its configuration, and joins the retail network without manual intervention. What once required skilled engineers and coordinated site visits now completes through basic package delivery.

In this article we'll explore how Zero-Touch Provisioning enables retail chains to roll out SD-WAN efficiently across their entire estate, the specific workflows involved, and the security considerations that make this automated approach viable for production environments.

The "Truck Roll" Problem

Opening a new store with traditional network equipment follows a resource-intensive process: IT teams configure devices in staging areas, apply location-specific settings, package pre-configured appliances for shipment, coordinate with store managers for installation windows, and dispatch engineers to physically install and verify operation. This approach works acceptably for small rollouts but breaks down for large-scale deployments and for retailers opening many stores annually, this creates complex logistics around coordinating hundreds of site visits, managing installation windows around store trading hours and dealing with configuration drift as different engineers interpret deployment guides differently.

Traditional WAN infrastructure vs SD-WAN

When retailers decide to transform their entire WAN infrastructure, replacing legacy MPLS with SD-WAN across hundreds or thousands of locations simultaneously , the logistics become overwhelming. Engineering capacity constraints limit deployment speed, scheduling coordination across time zones proves complex, travel costs accumulate rapidly, manual setup at hundreds of locations introduces configuration errors, and deployment timelines stretch across quarters or years.

For franchise operations, the challenge is made worse, with corporate IT teams often lacking direct control over franchise locations' infrastructure, requiring coordination with franchisees who may resist changes or lack technical staff. ZTP eliminates these constraints by shifting technical complexity from edge locations to the cloud.

According to market research, the Zero-Touch Provisioning market is expected to grow from $3.82 billion in 2024 to $10.59 billion by 2035, driven largely by SD-WAN deployments and distributed networks requiring automated configuration at scale.

The Step-by-Step ZTP Workflow

ZTP eliminates on-site technical work entirely by shifting all configuration to the cloud before hardware ships. This separation of technical work from physical installation enables deployment models where store-level staff require no networking expertise.

Cloud Staging

Before hardware leaves the warehouse, IT teams configure the complete SD-WAN deployment in the vendor's cloud management platform. This cloud staging involves creating the golden template - a baseline configuration applying to all stores including standard VLANs for payment systems, segmentation policies isolating the CDE, application priorities for traffic steering, and security policies including firewall rules. Rather than configuring policies separately at each location, the template defines them once and applies them consistently across every location.

Key Applications of Zero Touch Provisioning

The most common use case for Zero Touch Provisioning is within SD-WAN. ZTP enables retailers to quickly deploy new edge devices so that the network can be expanded across new locations. The benefit of ZTP for SD-WAN is that it can use a single configuration as a template, ensuring that different branch offices conform to consistent policies, regardless of the connectivity types, such as MPLS, broadband and 5G.

💡

By ensuring consistency between edges, organisations can be re-assured that their network meets regulatory compliance requirements, as well as maintaining overall security.

Challenges and Risks of Zero Touch Provisioning and How They're Mitigated

Although there are many benefits to utilising Zero Touch Provisioning, it is also important to consider the potential challenges it may introduce.

One of these challenges is the initial configuration with the ZTP server and definitions of policies. This often requires expertise in order to achieve and therefore, whilst ZTP reduces the complexity of network administrator workloads, it should be noted that some expertise may be required for the initial design of the ZTP implementation.

There are also physical security risks that should be considered. By deploying networks remotely, businesses should consider the security of the devices against unauthorised access or tampering, as this can lead to both a local and entire network breach.

Finally, the variability between vendors is significant and therefore not all ZTP implementations are built equally, are as easy to implement or offer the same range of features.

Vendor Comparison: ZTP Implementations

Arista VeloCloud

VeloCloud implements ZTP through their Edge Cloud Orchestrator (VECO) platform. Service providers sign up for ZTP by registering their Partner Relationship Management (PRM) identifier, which takes up to one week for validation. Once validated, devices shipped to customers automatically appear in the "Pending Assignment" inventory.

The service provider pre-configures edge profiles and assigns them to customers through the orchestrator. When the edge device powers on with DHCP-enabled internet connectivity, it automatically discovers the orchestrator, downloads its configuration, and establishes secure fabric VPN connections.

Versa Networks

Versa offers three distinct ZTP methods, providing flexibility for different deployment scenarios:

Global ZTP: Devices automatically discover and connect to Versa's cloud infrastructure without manual intervention
URL-Based ZTP: Administrators provide a specific URL that the device contacts for configuration
Script-Based ZTP: Requires minimal command-line interaction to initiate the staging process with specified controller IP addresses and WAN parameters

All methods follow a two-phase process: staging (establishing initial IPsec tunnel with the controller) and post-staging (receiving full configuration from Director and completing onboarding). Versa's architecture separates the Controller (data plane) from Director (management plane), requiring connectivity to both components for successful deployment.

Fortinet FortiGate

Fortinet provides ZTP through two primary paths: FortiCloud/FortiDeploy for smaller deployments and FortiManager for enterprise-scale operations. The FortiCloud approach allows devices to automatically contact Fortinet's cloud services using a pre-registered product key, downloading configuration templates upon first boot.

For enterprises, FortiManager's "Add Model Device" feature enables administrators to pre-provision virtual device representations with complete configurations. When a physical FortiGate with matching serial number connects, it undergoes "Auto-Link" - authenticating via serial number or pre-shared key, optionally upgrading firmware, and receiving its full configuration push. Fortinet also supports alternative discovery methods including DHCP options and USB-based provisioning for locations without reliable internet.

Pre-Deployment Readiness Checklist

Cloud Infrastructure

Cloud management platform configured with orchestrator/controller deployed and accessible Vendor account created and access credentials verified Device serial numbers registered in vendor portal before shipment ZTP service enabled and validated in management platform

Configuration Templates

Golden template created with baseline configuration for all sites VLAN configurations defined for payment systems, guest Wi-Fi, and corporate traffic Security policies configured including firewall rules, segmentation, and CDE isolation Application priorities set for traffic steering (e.g. payment terminals, POS, video surveillance) Site-specific variables defined (store IDs, location tags, region identifiers)

Network Prerequisites

DHCP server configured at each location to provide IP addresses, gateway, and DNS Internet connectivity verified at deployment sites with sufficient bandwidth DNS resolution working to reach vendor ZTP servers Firewall rules permit outbound HTTPS (port 443) and vendor-specific control plane ports NAT traversal configured if devices sit behind NAT (common for retail broadband)

Device Hardware

Devices factory reset and shipped with default configurations Firmware versions verified compatible with orchestrator (upgrade during ZTP if needed) Licensing activated for required bandwidth/features per device Certificate authentication configured (pre-installed vendor certificates or enterprise CA)

Security & Authentication

Device authentication method selected (serial number, pre-shared key, or device identifier) TLS 1.2+ enforced for management plane communications IPsec encryption configured for data plane (AES-256 recommended) Device theft protection enabled (stolen devices cannot automatically join network) Physical security planned for device installation locations (locked cabinets where appropriate)

Testing & Validation

Lab environment established for ZTP workflow testing Pilot deployment completed at 2-5 test locations before full rollout End-to-end connectivity verified (tunnel establishment, application traffic flow) Rollback procedure tested for failed deployments or configuration errors Performance benchmarks established (latency, throughput, application response times)

Operational Readiness

Store installation guides created with photo documentation for non-technical staff Store managers notified of shipment arrival and basic installation expectations Monitoring dashboards configured for deployment tracking and health status Support team trained on ZTP troubleshooting and remote diagnostic tools Escalation procedures defined for sites with connectivity issues or failed ZTP Phased rollout schedule created (e.g. 10-20 stores per week) to manage support load

Pilot, Phased Rollout and Rollback Strategy

Successful ZTP deployment follows a three-stage approach that minimises risk, a pilot phase, rollout and rollback.

The pilot phase should deploy via Zero Touch Provisioning at 2-5 carefully selected locations (that each represent different store profiles) and will likely take a 2-4 week period in order to validate that templates provision correctly, devices authenticate successfully and end-to-end connectivity functions under production conditions. Pilot testing typically reveals site-specific issues such as unexpected cable configurations or restrictive firewall rules before they affect hundreds of locations.

Following successful pilot completion, phased rollout should begin, starting with non-critical locations to minimise business impact. Each wave should monitor success rates, time-to-operational metrics, and common failure patterns - if failure rates exceed 10-15%, deployment should be stopped for investigation and revision before proceeding further

Rollback procedures are arguably the most important, as they allow for rapid recovery from failed deployments. SD-WAN platforms often implement automatic rollback so that if devices cannot establish orchestrator connectivity within 5-10 minutes, they revert to previous configurations.

Lifecycle Management

Once ZTP deployment completes, ongoing lifecycle management maintains network health across your retail network. Centralised orchestrators simplify firmware updates, allowing administrators to schedule upgrades during maintenance windows and push new software versions to hundreds of devices simultaneously. Most platforms support phased upgrade strategies, such as testing updates on pilot sites and regular configuration backups to protect against data loss.

Conclusion

Zero-Touch Provisioning eliminates the logistical complexity and cost of coordinating engineer visits across hundreds of retail locations for SD-WAN deployment. By shifting configuration complexity to the cloud, retailers enable non-technical store managers to deploy enterprise-grade networking infrastructure through simple package delivery and basic cable connections. ZTP requires thorough upfront planning, including template design, pilot testing, and rollback procedures, but delivers substantial operational benefits: faster deployment timelines, consistent policy enforcement, reduced travel costs and simplified lifecycle management.

Harry Yelland

Cybersecurity Writer

Harry holds a BSc (Hons) in Computer Science from the University of East Anglia and serves as a Cybersecurity Writer here at Netify, where he specialises in enterprise networking technologies. With expertise in Software-Defined Wide Area Networks (SD-WAN) and Secure Access Service Edge (SASE) architectures, Harry provides in-depth analysis of leading vendors and network solutions.

Fact-checked by: Robert Sturt - Managing Director, Netify

Frequently Asked Questions

What happens if a store manager connects cables incorrectly during ZTP installation?

Most common cabling errors prevent devices from obtaining internet connectivity, so provisioning simply doesn't start. The device remains in waiting state, and centralised monitoring alerts IT teams that provisioning hasn't completed within expected timeframes. Helpdesk staff can then guide store managers through checking cable connections.

Can retailers use ZTP for locations without reliable internet connectivity?

ZTP fundamentally requires internet connectivity for devices to reach the vendor's cloud controller and download configurations. For stores with no internet service yet installed, retailers must either pre-install connectivity before deploying SD-WAN, or implement a two-stage process where local IT contractors install internet services first, then ZTP handles SD-WAN provisioning.

Is ZTP suitable for franchise locations where the retailer doesn't control network infrastructure?

Yes, ZTP particularly benefits franchise deployments precisely because it minimises the retailer's dependency on franchisee technical capabilities. Corporate IT teams handle all configuration complexity in the cloud, whilst franchisees simply connect devices following pictorial instructions. This separation of concerns works well for franchise models where corporate IT wants to maintain network security and consistency without requiring franchisees to employ networking specialists.