Set up and launch the PA-3400 Series firewall in either
Zero Touch Provisioning (ZTP) mode or Standard mode depending on
your deployment needs.
On first startup, the PA-3400 Series firewall
boots into Zero Touch Provisioning (ZTP) mode by default. ZTP mode
allows you to automate the provisioning process of a new firewall
that is added to a management server. To learn more about ZTP, see ZTP Overview. You can
also bring the PA-3400 Series firewall online in standard mode.
See the instructions below to learn how to boot in ZTP or standard
If you have already booted up
the firewall and selected the wrong mode, you must perform a factory
reset or private-data-reset before continuing.
To use the private-data-reset command, you must access the
firewall CLI and enter the command
request system private-data-reset
This command will remove all logs and restore the default configuration.
ZTP mode is disabled if FIPS-CC mode is
enabled. If the firewall boots with FIPS-CC mode enabled, the firewall
will automatically boot in standard mode.
Use an RJ-45 Ethernet cable to connect the device
to the correct port. The port(s) connected will depend on which
mode you intend the firewall to run in.
) Connect the Ethernet cable from
the MGT port on the firewall to the RJ-45 port of your network switch.
) Connect the Ethernet cable from the ZTP
port (Ethernet port 1) on the firewall to your network switch.
Confirm that the connection to the MGT port or Ethernet
port 1 has an active network switch.
An active switch allows the firewall to trigger a
“link up” state on the port you connected to for your desired boot mode.
Standard mode only
) If you intend to boot the
firewall in standard mode, you will need access to the firewall
CLI to respond to a prompt during bootup. Connect a console cable
from the PA-3400 Series firewall to your computer. Once the firewall
is powered on, use a terminal emulator such as PuTTY to access the
CLI. See Access the CLI for more
) Using your terminal emulator,
watch for the following CLI prompt as the firewall boots:
Do you want to exit ZTP mode and configure your firewall in standard mode (yes/no)[no]?
The system will then ask you to confirm. Enter
to boot in standard mode.
If you miss the above CLI prompt, you can
also change your boot mode using the web interface. Go to the firewall
login screen at any point before or during the startup process.
A prompt will ask if you wish to continue booting in ZTP mode or
if you would like to switch to standard mode. Select
and the firewall will begin rebooting in standard mode.
) Stand by as the firewall boots up.
Set up the firewall manually if using standard mode.
If using ZTP mode, the device group and template configuration defined
on the Panorama management server are automatically pushed to the
firewall by the ZTP service.
) Change the IP address
on your computer to an address in the 192.168.1.0/24 network, such
as 192.168.1.2. From a web browser, go to https://192.168.1.1. When
prompted, log in to the web interface using the default username
and password (admin/admin).
) Follow the instructions provided by your Panorama
administrator to register your ZTP firewall. You will have to enter
the serial number (12-digit number identified as S/N) and claim
key (8-digit number). These numbers are stickers attached to the
back of the device.