This is a pretty large question depending mainly on if you locations rely on operational perimeter (same network, same polling area for example), or geographical location, or both.
From my own experience, it’s usually easier to have an HA cluster of satellite (or only one satellite if you dont need resilience) to check a perimeter which i link to a zone, if you need to check things beyond this zone, you can use agents (assuming you have a server to put it on)
For firewalls, you usually dont have to worry much since connection direction is both ways, you need to have at least one direction opened, just make sure to have endpoints to know each others in your zones files then.
For main architecture guidelines, you can start here.
About automation, i’d prefer to let someone else answer since i dont use much.