>
    Strata Copilot
    Onboard a ZTP NGFW Using the ZTP Web App
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Activation & Onboarding
    4. Onboard to Strata Cloud Manager
    5. Onboard NGFWs using Zero Touch Provisioning (ZTP)
    6. Onboard a ZTP NGFW Using the ZTP Web App
    Download PDF
    Strata Cloud Manager

    Onboard a ZTP NGFW Using the ZTP Web App

    Table of Contents

    Onboard a ZTP NGFW Using the ZTP Web App

    Activate NGFWs at branch locations from a mobile device using the Zero Touch Provisioning (ZTP) NGFW Activation web app.
    Where Can I Use This?What Do I Need?
    • NGFW
    One of these:
    And all of these:
    • Business Administrator or Superuser role in Strata Cloud Manager
    • iOS or Android smartphone with a camera and internet connectivity
    • A Customer Support Portal (CSP) account
    • DHCP server deployed on the branch network
    The ZTP NGFW Activation web app extends the existing Zero Touch Provisioning (ZTP) portal to mobile devices, enabling field installers to activate NGFWs at branch locations without a laptop or detailed knowledge of the customer's network configuration. The web app is browser-based and works on both iOS and Android devices, so no separate native app installation is required.
    The ZTP web app introduces two features that further simplify field deployments: location detection automatically identifies nearby sites pending deployment so you can select a site without manual lookup, and port detection uses your device's camera to verify physical cable connections before activation begins, preventing misconfiguration errors.
    You can reach the ZTP Activation Page in two ways: by scanning the QR code on Gen 5 or newer NGFW hardware, or by navigating directly to the page URL. The QR code opens the page automatically and pre-populates the Serial Number and Claim Key fields, so no manual entry is needed. After activation, the NGFW bootstrap process begins automatically and takes approximately 25 minutes, or up to 35 minutes if a software upgrade is required. You can monitor bootstrap progress and review the last seven days of activation history directly from the web app.
    The ZTP web app only supports onboarding to Strata Cloud Manager at this time. For more information about the ZTP onboarding process for Panorama, see Set Up Zero Touch Provisioning.

    Activate a ZTP NGFW

    Sign in, enter device details, select your deployment site or label, and activate a ZTP NGFW from your mobile device using the ZTP NGFW Activation web app.
    The activation workflow guides you through signing in, entering device details, associating the NGFW with a deployment site or label, and submitting the activation. Depending on your setup, you can select a site, a label (if your administrator has enabled labels), or both. To reach the ZTP Activation Page, you can either navigate directly to ztpdeviceactivation or scan the QR code on the back of the NGFW. On Gen 5 or newer hardware, the QR code opens the page automatically and pre-populates the Serial Number and Claim Key fields — on all other hardware, you enter those details manually.
    Port detection checks whether a cable is connected to the eth1/1 port. It supports select branch and remote office PA-Series form factors. Only the connected state of the port is detected — data flow through the port is not verified.
    1. Navigate to the ZTP NGFW Activation page.
      • (Gen 5 or newer hardware) Open the Camera app on your smartphone and scan the QR code on the back of the NGFW. The QR code opens the ZTP Activation Page directly and automatically populates the Serial Number and Claim Key fields.
      • On your mobile device, navigate directly to stratacloudmanager.paloaltonetworks.com/ztpdeviceactivation.
    2. Sign in to your CSP account.
    3. Confirm the device details on the ZTP Activation Page.
      If you scanned the QR code, the Serial Number and Claim Key fields are already populated. If you are entering details manually, complete all of the following:
      1. Select the Tenant where the ZTP NGFW is activated.
      2. Select the CSP Account where the ZTP NGFW is activated.
      3. (Manual entry only) Enter the 10–32 character Serial Number found on the back of the device.
      4. (Manual entry only) Enter the 8-digit Claim Key found on the back of the device.
    4. Select a Deployment Site
    5. Select your site from the Select Site list and tap OK.
      The web app uses your device's location to display sites pending deployment within a 2 km radius. If your site is not shown:
      • Tap Tap to change location to manually update your location and refresh the filtered list.
      • Toggle Show All Sites to browse the complete list of sites pending deployment.
    6. Verify Port Connections
    7. Tap Verify and confirm eth1/1 connection?.
      Before capturing, ensure the following conditions are met for accurate detection:
      • Clear cable area — The area around the eth1/1 port must be relatively clear. A disorganized bundle of cables overlapping the front of the firewall can obstruct the model's view and cause incorrect results.
      • Front-facing angle — Hold your phone at a front-facing angle to the firewall. Looking directly down on top of the chassis (bird's-eye view) obscures the port openings and is not supported.
      • Adequate lighting — The firewall should be illuminated by standard office lighting or your phone's flash. Extreme shadows or direct glare may reduce detection accuracy.
      • Horizontal placement only — The firewall must be placed horizontally on a flat surface. Vertical orientations are not supported in this release.
    8. (Optional) View the reference image in the app to understand the required cable configuration for your firewall model.
    9. Align the firewall front panel within the overlay guide box on your screen, hold your phone steady, and tap the camera button to capture the image.
      Ensure the entire firewall fits within the guide box. If you are working with a stack of firewalls, focus on the specific firewall you are onboarding.
      The web app analyzes the image and reports one of the following results:
      • Eth 1/1 Active — A cable is detected in the eth1/1 port. A checkmark on the activation form confirms the connection. Proceed with activation.
      • Eth 1/1 Not Connected — No cable is detected in the eth1/1 port. Check the cabling and retake the image before proceeding.
    10. Click Activate Device.
      Strata Cloud Manager registers the firewall and the NGFW bootstrap process starts. Bootstrap takes approximately 25 minutes, or up to 35 minutes if a software upgrade is required. You can monitor progress on the ZTP Activation Page.
    11. (Optional) Select Activate Another Device.
    12. (Optional) Select Check Activation Details to monitor bootstrap progress.
    13. Click Done when activation is complete.

    Monitor Bootstrap Status Using the ZTP Web App

    Track the real-time status of the NGFW bootstrap process from your mobile device after initiating ZTP activation.
    After you activate a ZTP NGFW, the firewall begins an automated bootstrap sequence that downloads licenses, content updates, and software upgrades, then applies the initial configuration pushed by Strata Cloud Manager. Bootstrap takes approximately 25 minutes, or up to 35 minutes if a software upgrade is required.
    The ZTP Activation Page shows real-time bootstrap progress through the following sequential stages:
    • Firewall Licensing — The firewall downloads and installs its assigned license.
    • Content Updates — App-ID and threat content packages are downloaded.
    • WildFire Updates — WildFire signatures are downloaded.
    • Antivirus Updates — Antivirus signatures are downloaded.
    • Software Upgrade — PAN-OS software is upgraded to the target version.
    • Default Config PushStrata Cloud Manager pushes the initial configuration to the firewall.
    If an error occurs during bootstrap, the ZTP Activation Page displays a message with an error code. Contact your network administrator if you see a technical error during bootstrap. Non-critical failures in antivirus or WildFire updates display a warning but do not stop the bootstrap process.
    1. From the ZTP Activation Page, select Check Activation Details.
    2. Review the bootstrap status stages and wait for the status to change to Done.
      Each stage displays a progress indicator. If a stage shows an error, note the error code and contact your administrator. Your administrator can monitor the same bootstrap status and any warnings from System SettingsDevice ManagementCloud Managed Devices in Strata Cloud Manager.

    View Activation History Using the ZTP Web App

    Monitor recently activated NGFWs and track deployment progress directly from a mobile device using the ZTP Web App activation history.
    The ZTP web app lets you view activation history for devices processed within the last seven days directly from your mobile device. You can filter results by CSP account and TSG, search for a specific device by serial number, and tap any device in the list to view its full activation details.
    1. From the ZTP NGFW Activation landing page, select Check Activation History.
    2. Select your CSP account and TSG ID and click Search.
    3. (Optional) Enter a serial number to filter the results to a specific device.
    4. Tap a serial number in the list to view detailed activation status for that NGFW.

    © 2026 Palo Alto Networks, Inc. All rights reserved.