You want to look at auto-install. It requires a usb-drive and you populate the cfg on the drive and ship the FGT with the drive. If you are doing the same model-type over and over, then a simple boring config could be used to pre-populate the unit at the new site.
If the remote-sites are DHCP/PPoE for the WAN it even gets simple with re-using the configuration file. Just make sure to use a phase1-ID-TYPE
for the IPSEC tunnel that uniquely defines that peer-id.
I.E FQDN | User-Email
Once you have the new site up, you can load the final cfg or make adjustments for that site. https://help.fortinet.com/cli/fos60hlp/60/Content/FortiOS/fortiOS-cli-ref/config/system/auto-install.htm
I publish probably 100s if not thousands of sites using this way and it works good if your information is vetted and correct. So since we had dynamic assigned, our config file only required the correct internal LAN subnet and almost everything else was global across the MSSP domain ( user account, admin account, RADIUS, logging, etc....)
It would also help to test the config on a test ISP link and tweak what you need as you develop your auto-install process.
YMMV, but auto-install is a 5star "+"