>
    Strata Copilot
    Onboard NGFWs using Zero Touch Provisioning (ZTP)
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Activation & Onboarding
    4. Onboard to Strata Cloud Manager
    5. Onboard NGFWs using Zero Touch Provisioning (ZTP)
    Download PDF
    Strata Cloud Manager

    Onboard NGFWs using Zero Touch Provisioning (ZTP)

    Table of Contents

    Onboard NGFWs using Zero Touch Provisioning (ZTP)

    Use this workflow for onboarding NGFWs to Strata Cloud Manager using Zero Touch Provisioning (ZTP).
    Where Can I Use This?What Do I Need?
    • NGFW
    		One of these:
    Learn about onboarding NGFWs using Zero Touch Provisioning (ZTP).

    Onboard a ZTP NGFW

    ZTP is designed to simplify and automate the onboarding of new firewalls to Strata Cloud Manager. ZTP streamlines the initial firewall deployment process by allowing network administrators to ship managed firewalls directly to their branches and automatically add the firewall to their tenant after the ZTP firewall successfully connects to the Palo Alto Networks ZTP service. This allows businesses to save on time and resources when deploying new firewalls at branch locations by removing the need for IT administrators to manually provision the new managed firewall. After successful onboarding, Strata Cloud Manager provides the means to configure and manage your firewalls.
    The ZTP cloud service supports a direct internet connection via Ethernet or cellular interfaces (exclusively for 5G hardware) to successfully onboard a firewall to Strata Cloud Manager. It supports Generation 5 firewalls with standalone cellular connections or a combination of Ethernet and cellular interfaces. This allows automated provisioning for remote sites relying on mobile data.
    If only cellular 1/1 is connected, it is automatically configured as the management interface. If both cellular 1/1 or Ethernet 1/1 are connected, Ethernet 1/1 serves as the primary management interface. If the Ethernet link goes down, the firewall fails over to cellular 1/1 for management access.
    The ZTP cloud service does not support an explicit web proxy. It cannot onboard a ZTP firewall to Strata Cloud Manager if an explicit web proxy is configured as a gateway to the internet for your firewalls and Strata Cloud Manager.
    Review and subscribe to ZTP Service Status events to be notified about scheduled maintenance windows, outages, and workarounds.
    Before you begin setting up ZTP on Strata Cloud Manager, review the Firewall Hardware Quick Start and Reference Guides to understand how to correctly install your firewall to successfully leverage ZTP.

    ZTP Configuration Elements

    The following elements work together to allow you to quickly onboard newly deployed ZTP firewalls by automatically adding them to Strata Cloud Manager using the ZTP service.
    • Customer Support Portal (CSP) Account—The ZTP service uses the Palo Alto Networks Customer Support Portal to register the firewall with your account and identify the tenants that you can associate with your ZTP firewall.
    • Tenant—The Strata Cloud Manager tenant the ZTP firewall will be associated with. This is a logical container for your apps and devices.
    • Business Administrator or Superuser Role—The enterprise roles that can onboard a ZTP firewall. These roles are assigned through Common Services.
    • Claim Key—Eight-digit numeric key physically attached to the ZTP firewall used to register the ZTP firewall with the CSP.
    • Serial Number—A 10-32 character alphanumeric identifier attached to the ZTP firewall. You can find this on a sticker on the back of the firewall.
    • Activation URL—URL used to onboard your ZTP firewall to cloud management ZTP activation URL.
      For the 5G hardware models, you can scan the unique QR code on the device label to instantly retrieve the activation link, Serial Number, and Claim Key.
    1. Business Administrator or higher role activates a ZTP firewall by visiting the ZTP activation URL and the firewall serial number and claim key. If you have more than one tenant or CSP account, you can select which one you want to associate with the firewall.
    2. The ZTP firewall registers with the CSP and with the Strata Cloud Manager tenant specified during activation.
    3. A ZTP firewall successfully registered with the ZTP service automatically appears in Strata Cloud Manager (Settings > Firewall Setup > Device Management).
    4. When the firewall connects to the internet, the ZTP firewall requests a device certificate from the CSP in order to connect to the ZTP service.
    5. The ZTP service pushes the Strata Cloud Manager FQDN and the ZTP configuration to the firewall.
    6. The ZTP firewall connects to Strata Cloud Manager.

    Onboard a ZTP NGFW to Strata Cloud Manager

    With a Business Administrator or greater role, access ZTP device activation to initiate ZTP. To initiate ZTP, you must enter the firewall serial number and claim key provided by Palo Alto Networks and then activate the ZTP process. The ZTP Activation Page registers your firewall to the Customer Support Portal (CSP) and associates the firewall to the selected tenant.
    Before you initiate ZTP, you must ensure that you have deployed a Dynamic Host Configuration Protocol (DHCP) server on the network. You must have a DHCP server configured to successfully onboard a firewall to Strata Cloud Manager. The firewall is unable to connect to the Palo Alto Networks ZTP service to facilitate onboarding without a DHCP server.
    You can't migrate a firewall added to Strata Cloud Manager using ZTP from one tenant to another.
    While adding a firewall to Strata Cloud Manager using ZTP, don't perform any commits on the ZTP firewall before you verify that the firewall appears in Strata Cloud Manager according to the steps below. Performing a local commit on the ZTP firewall disables ZTP functionality and results in the failure to successfully add the firewall to Strata Cloud Manager.
    All the PA-Series NGFW models are supported for ZTP.
    • PA-400 Series
    • PA-400R Series
    • PA-1400 Series
    • PA-3400 Series
    • PA-5400 Series
    • PA-5450 and PA-7500 Series
    • PA-500 and PA-5500 Series
    1. Activate the licenses required for Strata Cloud Manager (Strata Cloud Manager Essentials or Strata Cloud Manager Pro).
    2. (Optional) Create a device onboarding rule to associate the firewall with a folder and push a configuration when the firewall first connects to Strata Cloud Manager.
    3. Onboard the firewall to Strata Cloud Manager.
      1. With the role of Business Administrator or higher, access ZTP device activation.
      2. Select the tenant (if you have more than one in your CSP account).
      3. Enter the Serial Number of the ZTP firewall.
      4. Enter the Claim Key for the ZTP firewall.
      5. (Optional) Select any labels if defined by the admin for grouping.
        For the 5G hardware models, you can scan the unique QR code on the device label to instantly retrieve the activation link, Serial Number, and Claim Key.
      6. ActivateZTP.
    4. Connect the network interface on the ZTP firewall and power on.
      Ensure that you have correctly cabled the firewall before powering it on. ZTP connection is a one-time event, and if it fails, you will need to take corrective action.
      • Ethernet ZTP: Connect the Ethernet cable to Ethernet1/1.
      • (5G hardware only) Cellular ZTP: Ensure a valid SIM card with an active data plan is installed.
      • (5G hardware only) Hybrid (Ethernet and Cellular): Connect the Ethernet cable to Ethernet1/1 and ensure the SIM card is installed
      SCM automatically pushes the correct ZTP snippet based on the available interfaces reported by the firewall.
    5. Power On the firewall.
      The device will power up, initialize its interface (Ethernet or Cellular), and automatically connect to the Palo Alto Networks ZTP service.
    6. Monitor the Bootstrap Status.
      1. In Strata Cloud Manager, select System SettingsDevice ManagementCloud Managed Devices.
        You can also monitor the activation status from the ZTP Activation Page.
      2. Locate your device. The Bootstrap Status displays the progress of the automated onboarding steps. Wait for the status to change to Done.
    7. Verify the firewall successfully onboarded to Strata Cloud Manager.
      1. Log in to Strata Cloud Manager.
      2. Select System SettingsDevice Management and verify the ZTP firewall appears.
    8. Move the firewall to a folder of your choice.
      Folders are used to logically group your firewalls for simplified configuration management. Skip this step if you created a device onboarding rule to automatically move the firewall to a target folder.
      (HA only) Both firewalls must be in the same folder to configure HA. If you need to configure your firewalls in a high availability (HA) configuration, be sure to plan your folder structure accordingly and move both firewalls to the same folder before you configure HA.
      Additionally, firewalls in an HA configuration cannot be moved to a new folder. To move them, you must first break the HA configuration, move both firewalls to the new folder, and then reconfigure HA.
      1. Select System SettingsDevice Management and expand the All Firewalls folder.
      2. Expand the Actions menu and Move.
      3. Select the folder Destination and Move.
    9. Push Config to push your configuration changes.
    10. Finally, check the Strata Cloud Manager Command Center and confirm that your firewall appears in the Summary view.

    © 2026 Palo Alto Networks, Inc. All rights reserved.