Next-Generation Firewall
Onboard ZTP Firewalls
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
Onboard ZTP Firewalls
Learn how to onboard ZTP firewalls.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
ZTP is designed to simplify and automate the onboarding of new firewalls to
Strata Cloud Manager. ZTP streamlines the initial firewall deployment process
by allowing network administrators to ship managed firewalls directly to their
branches and automatically add the firewall to their tenant after the ZTP firewall
successfully connects to the Palo Alto Networks ZTP service. This allows businesses
to save on time and resources when deploying new firewalls at branch locations by
removing the need for IT administrators to manually provision the new managed
firewall. After successful onboarding, Strata Cloud Manager provides the means to
configure and manage your firewalls.
The ZTP cloud service supports a direct internet connection to successfully
onboard a ZTP firewall to Strata Cloud Manager. The ZTP cloud service does not
support an explicit web proxy and is unable to onboard a ZTP firewall to Strata Cloud Manager if an explicit web proxy is configured as a gateway to the
internet for your ZTP firewalls and Strata Cloud Manager.
Review and subscribe to ZTP Service Status events to be notified about scheduled maintenance
windows, outages, and workarounds.
Before you begin setting up ZTP on Strata Cloud Manager, review the Firewall Hardware Quick Start and Reference Guides to
understand how to correctly install your firewall to successfully leverage ZTP.
Cloud Management
Learn how to onboard ZTP firewalls in Strata Cloud Manager.
With a Business Administrator or greater role, access ZTP device activation to add a ZTP firewall to Strata Cloud Manager. To add the ZTP firewall, you must enter the firewall serial
number and claim key provided by Palo Alto Networks and then register the firewall
with the ZTP service. Registering the firewall claims the firewall as an asset in
your account in the Customer Support Portal and allows the ZTP service to associate
the firewall with Strata Cloud Manager.
Before you can successfully add a ZTP firewall to Strata Cloud Manager,
you must ensure that you have deployed a Dynamic Host Configuration Protocol (DHCP)
server on the network. You must have a DHCP server configured to successfully
onboard a ZTP firewall to Strata Cloud Manager. The ZTP firewall is unable to
connect to the Palo Alto Networks ZTP service to facilitate onboarding without a
DHCP server.
You can't migrate a firewall added to Strata Cloud Manager using ZTP from one tenant to another.
While adding a ZTP firewall to Strata Cloud Manager, don't perform any
commits on the ZTP firewall before you verify that the firewall appears in Strata Cloud Manager according to the steps below. Performing a local commit on the
ZTP firewall disables ZTP functionality and results in the failure to successfully
add the firewall to Strata Cloud Manager.
- Activate the licenses required for Strata Cloud Manager.
- Activate Cortex Data Lake.
- Activate AIOps for NGFW.
- Onboard the ZTP firewall to Strata Cloud Manager.
- With the role of Business Administrator or higher, access ZTP device activation.
- Select the tenant (if you have more than one in your CSP account).
- Enter the Serial Number of the ZTP firewall.
- Enter the Claim Key for the ZTP firewall.
- Activate the firewall.
- Connect the ethernet cable to Eth1/1
on the ZTP firewall and power on.Ensure that you have correctly cabled the firewall before powering it on. ZTP connection is a one-time event, and if it fails, you will need to take corrective action.
- Verify the firewall successfully onboarded to Strata Cloud Manager.
- Log in to Strata Cloud Manager.
- Select SettingsFirewall SetupDevice Management and verify the ZTP firewall appears.
- Move the firewall to a folder of your
choice.Folders are used to logically group your firewalls for simplified configuration management.(HA only) Both firewalls must be in the same folder to configure HA. If you need to configure your firewalls in a high availability (HA) configuration, be sure to plan your folder structure accordingly and move both firewalls to the same folder before you configure HA.Additionally, firewalls in an HA configuration cannot be moved to a new folder. To move them, you must first break the HA configuration, move both firewalls to the new folder, and then reconfigure HA.
- Select SettingsFirewall SetupFolder Management and expand the All Firewalls folder.
- Expand the Actions menu and Move.
- Select the folder Destination and Move.
- Push Config to push your configuration changes.
Panorama
Learn how to onbaord ZTP Firewalls to Panorama.
ZTP Firewalls can be centrally managed using Panorama.
To start onboarding your ZTP Firewalls to Panorama, follow the guide here.