De-board an NGFW Connector

1. Remove NGFW Connector from the ZTNA Connector Group.

   1. In Strata Cloud Manager, go to ConfigurationZTNA ConnectorNGFW Connectors.
   2. Select the NGFW Connector Group containing the NGFW you want to de-board.
   3. Delete the specific NGFW Connector from the Connector Group.

   4. Delete all the ZTNA Connector objects such as any IP Subnets, FQDNs or wildcards associated with NGFW Connector.

   To de-board an NGFW Connector, first delete all the objects such as IP subnet, FQDN and wildcards from Strata Cloud Manager. De-boarding NGFW Connector from the Panorama UI before deleting these objects results in a stale NGFW Connector status in Strata Cloud Manager.
2. Remove any manually configured DNS Proxy references (if applicable).

   1. If you have manually configured the DNS proxy with static entries, in Panorama, go to DeviceSetupServices and then select the settings icon.
   2. Under DNS Settings, select the DNS Proxy Object and de-select ztna_ngfw_proxy to remove any manual references to this proxy.
      When you de-board all NGFW Connectors from a Connector Group, Prisma Access service deletes ztna_ngfw_proxy. But if ztna_ngfw_proxy is still associated in DNS proxy object then you might see commit all failures or validation errors.
3. Remove the NGFW as an unclaimed connector from Panorama.

   1. In PANORAMA, go to Cloud ServicesConfigurationNGFW Connector.
   2. Select NGFW Connector and Delete it.

4. Ensure all the references are removed from Panorama and Prisma Access service deletes all the configuration from Panorama and NGFW.

   If your NGFW was part of a Connector Group with multiple NGFWs sharing a template, template-level configurations will only be removed after the last NGFW in that Connector Group is de-boarded.