>
    Strata Copilot
    Onboard NGFWs with Site Management
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Activation & Onboarding
    4. Onboard to Strata Cloud Manager
    5. Onboard NGFWs with Site Management
    Download PDF
    Strata Cloud Manager

    Onboard NGFWs with Site Management

    Table of Contents

    Onboard NGFWs with Site Management

    Automate NGFW configuration variable resolution during onboarding using Site Management in Strata Cloud Manager.
    Where Can I Use This?What Do I Need?
    • NGFW
    Contact your account representative if you are interested in enabling this feature.
    One of these licenses:
    • Strata Cloud Manager Essentials
    • Strata Cloud Manager Pro
    Roles needed:
    • Network Administrator
    • Superuser
    • Business Admin
    Site Management in Strata Cloud Manager streamlines Next-Generation Firewall (NGFW) deployment by automating configuration variable resolution. This feature introduces a "Site" as a core entity for NGFW deployment, abstracting device complexity in your environment. You define reusable properties and rules to generate specific variable values for individual devices, eliminating manual operations and standardizing your provisioning process.
    Site Management improves NGFW deployments by ensuring consistency and reducing errors, especially at scale. Previously, configuring settings like IP addresses or hostnames manually for each device often caused inconsistencies and increased administrative effort. Site Management automates these calculations and standardizes value generation across NGFWs, reducing configuration drift and enhancing scalability for large deployments.
    Site Management operates by centralizing your configurations. You define Properties — customer-defined metadata consisting of user-specified keys and values that describe each site's unique characteristics (such as location, region, or site ID) — and assign specific property values to individual Sites. These site-specific values are then used by Onboarding Rules, which contain Variable Resolution Rules. The Site Manager component dynamically calculates complex configuration details, such as derived IP addresses or hostnames, by substituting variables with site property values.
    The workflow begins when you define Properties, Site Properties Groups, Sites, and Onboarding Rules within Strata Cloud Manager. An installer then selects a target site while installing the NGFWs. Strata Cloud Manager resolves the configuration in accordance with the variable resolution rules defined by the admin. This process includes Onboarding Properties as customizable metadata and Variable Resolution Rules that support string substitution and bit operations for precise IPv4 address generation. A Claim process then ties a physical or virtual NGFW to a pre-configured Site, triggering automated variable resolution and provisioning through Strata Cloud Manager.
    • This feature is only available during the onboarding of NGFWs.
    • This feature exclusively supports IPv4 for all IP address fields, variables, and resolution rules; IPv6 is not supported.
    • A site is restricted to being claimed by one single device.
    1. Define Site Properties.
      1. Log in to Strata Cloud Manager.
      2. Navigate to ConfigurationNGFW and Prisma Access, set the Configuration Scope to All Firewalls, and continue to SetupDevice OnboardingSite ManagementSite Properties.
      3. Add Property.
        Properties are defined at the tenant level.
      4. Enter a unique Name for the property, for example, region_id or location.
      5. Select the Type for the property and configure the type-specific constraints.
        • String—Enter a Maximum Length, for example, 1024.
        • Integer—Enter a Minimum and Maximum value, for example, 0 to 7.
      6. Save.
    2. Create Site Property Groups.
      Site Groups are a collection of Sites with similar properties.
      1. Navigate to ConfigurationNGFW and Prisma Access, set the Configuration Scope to All Firewalls, and continue to SetupDevice OnboardingSite ManagementSite Property Groups.
      2. Add Site Properties Group.
      3. Enter a Name for the site group, for example, Branch Deployments.
      4. Define and associate the properties that belong to this group.
      5. Save.
    3. Create Sites.
      1. Navigate to ConfigurationNGFW and Prisma Access, set the Configuration Scope to All Firewalls, and continue to SetupDevice OnboardingSite ManagementSites.
      2. Add Site.
      3. Select the Site Group this site belongs to, for example, Branch Deployments.
      4. Enter a unique Name for the site, for example, sc-store-1.
      5. (Optional) Enter the physical Address for the site.
      6. Provide Property Values for each property defined in the selected Site Group, for example, region_id: 7.
      7. (Optional) To add multiple sites at once, select the Site Properties Group created in Step 2 and choose to either manually add sites in a grid or Import CSV.
      8. Save.
    4. Configure Site-Based Onboarding Rules.
      1. Navigate to ConfigurationNGFW and Prisma Access, set the Configuration Scope to All Firewalls, and continue to SetupDevice OnboardingOnboarding Rules.
      2. Add Rule and configure the general settings.
        • Enter a descriptive Name for the rule and optionally a Description.
        • Ensure the Enabled toggle is active.
        • Select Site-Based as the Onboarding Type.
      3. Configure the Match Criteria.
        • Select the Site Properties Group from Step 2 that this rule will apply to, for example, Branch Deployments.
        • (Optional) Specify Models.
      4. Configure the Actions.
        • Select Target Folder.
        • Select any Snippet Association.
        • Select the Target OS Version for the device.
        • (Optional) Enable VPN Onboarding.
        • (Optional) Enable Custom Interface.
          Custom Interface is disabled by default. When enabled, it disables the automatic application of the ZTP Default Snippet post-bootstrap, allowing administrator-defined interface and routing configurations to take effect. Use this option only when the management interface or non-standard ports are required for post-onboarding connectivity. Ensure all necessary interface and routing configurations are defined before enabling this option to prevent connectivity interruptions.
        • (Optional) Enable User Context Onboarding.
      5. Enable Variable Resolution and configure variables.
        Only variables defined at the folder selected in Target Folder or defined in an associated snippet will be available for resolution.
        For each variable you want to override:
        1. Select the variable Name, for example, mgmt_ip.
        2. Choose the appropriate Resolution Rule Type:
          • Replacement—Enter an Expression using site properties, for example, 10.1.${region_id}.2.
          • Bitwise Expression—Define the bitwise resolution to dynamically generate an IP address for each site. This option provides the flexibility to dynamically configure every bit of the IP address and use properties to resolve the IP address for every site.
      6. Save.
    5. Preview Site Resolution.
      To prevent potential runtime errors from inconsistent variable resolution, you can preview how variables will resolve for your sites before deployment.
      1. Navigate to ConfigurationNGFW and Prisma Access, set the Configuration Scope to All Firewalls, and continue to SetupDevice OnboardingSite ManagementSites.
      2. Preview Resolution.
      3. (Optional) Select the Model Family.
      4. Review the Resolved Onboarding Rule and Resolved Variables for each site.
    6. Claim a Site during device onboarding.
      1. Initiate the NGFW device onboarding process using Zero Touch Provisioning (ZTP) or manual onboarding.
      2. On the ZTP activation page or Strata Cloud Manager onboarding page, enter the device's Serial Number and Claim Key.
      3. Select a pre-defined Onboarding (Site) from the available list.
        A site can only be claimed by one device at a time.
        If you are using the ZTP mobile web app, location detection automatically populates sites within a 2 km radius of your current position. You can tap Tap to change location to update your location or toggle Show All Sites to browse the complete list of available sites.
      4. Submit.
    7. Verify Onboarding Status and Resolved Variables.
      1. Navigate to SettingsDevice Management.
      2. Locate the newly onboarded device.
      3. Review the Onboarding Status.
      4. Select the device and navigate to its specific Configuration Scope.
      5. Manage Variables.
      6. Review the Resolved Variables.

    © 2026 Palo Alto Networks, Inc. All rights reserved.