>
    Strata Copilot
    Onboard ZTP Firewalls
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Onboard Your NGFWs
    4. Onboard ZTP Firewalls
    Download PDF
    Next-Generation Firewall

    Onboard ZTP Firewalls

    Table of Contents

    Onboard ZTP Firewalls

    Learn how to onboard ZTP firewalls.
    Where Can I Use This?What Do I Need?
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS or Panorama Managed)
    • VM-Series, funded with Software NGFW Credits
    • AIOps for NGFW Premium license (use the Strata Cloud Manager app)
    • Cortex Data Lake license
    • PAN-OS 10.2.3 or later
    • One of the following supported firewall models:
      • PA-415 and PA-445
      • PA-1400 Series
      • PA-3400 Series
      • PA-5410, PA-5420, and PA-5430
      • PA-5440
    ZTP is designed to simplify and automate the onboarding of new firewalls to Strata Cloud Manager. ZTP streamlines the initial firewall deployment process by allowing network administrators to ship managed firewalls directly to their branches and automatically add the firewall to their tenant after the ZTP firewall successfully connects to the Palo Alto Networks ZTP service. This allows businesses to save on time and resources when deploying new firewalls at branch locations by removing the need for IT administrators to manually provision the new managed firewall. After successful onboarding, Strata Cloud Manager provides the means to configure and manage your firewalls.
    The ZTP cloud service supports a direct internet connection to successfully onboard a ZTP firewall to Strata Cloud Manager. The ZTP cloud service does not support an explicit web proxy and is unable to onboard a ZTP firewall to Strata Cloud Manager if an explicit web proxy is configured as a gateway to the internet for your ZTP firewalls and Strata Cloud Manager.
    Review and subscribe to ZTP Service Status events to be notified about scheduled maintenance windows, outages, and workarounds.
    Before you begin setting up ZTP on Strata Cloud Manager, review the Firewall Hardware Quick Start and Reference Guides to understand how to correctly install your firewall to successfully leverage ZTP.

    Cloud Management

    Learn how to onboard ZTP firewalls in Strata Cloud Manager.
    With a Business Administrator or greater role, access ZTP device activation to add a ZTP firewall to Strata Cloud Manager. To add the ZTP firewall, you must enter the firewall serial number and claim key provided by Palo Alto Networks and then register the firewall with the ZTP service. Registering the firewall claims the firewall as an asset in your account in the Customer Support Portal and allows the ZTP service to associate the firewall with Strata Cloud Manager.
    Before you can successfully add a ZTP firewall to Strata Cloud Manager, you must ensure that you have deployed a Dynamic Host Configuration Protocol (DHCP) server on the network. You must have a DHCP server configured to successfully onboard a ZTP firewall to Strata Cloud Manager. The ZTP firewall is unable to connect to the Palo Alto Networks ZTP service to facilitate onboarding without a DHCP server.
    You can't migrate a firewall added to Strata Cloud Manager using ZTP from one tenant to another.
    While adding a ZTP firewall to Strata Cloud Manager, don't perform any commits on the ZTP firewall before you verify that the firewall appears in Strata Cloud Manager according to the steps below. Performing a local commit on the ZTP firewall disables ZTP functionality and results in the failure to successfully add the firewall to Strata Cloud Manager.
    1. Activate the licenses required for Strata Cloud Manager.
      1. Activate Cortex Data Lake.
      2. Activate AIOps for NGFW.
    2. Onboard the ZTP firewall to Strata Cloud Manager.
      1. With the role of Business Administrator or higher, access ZTP device activation.
      2. Select the tenant (if you have more than one in your CSP account).
      3. Enter the Serial Number of the ZTP firewall.
      4. Enter the Claim Key for the ZTP firewall.
      5. Activate the firewall.
    3. Connect the ethernet cable to Eth1/1 on the ZTP firewall and power on.
      Ensure that you have correctly cabled the firewall before powering it on. ZTP connection is a one-time event, and if it fails, you will need to take corrective action.
    4. Verify the firewall successfully onboarded to Strata Cloud Manager.
      1. Log in to Strata Cloud Manager.
      2. Select SettingsFirewall SetupDevice Management and verify the ZTP firewall appears.
    5. Move the firewall to a folder of your choice.
      Folders are used to logically group your firewalls for simplified configuration management.
      (HA only) Both firewalls must be in the same folder to configure HA. If you need to configure your firewalls in a high availability (HA) configuration, be sure to plan your folder structure accordingly and move both firewalls to the same folder before you configure HA.
      Additionally, firewalls in an HA configuration cannot be moved to a new folder. To move them, you must first break the HA configuration, move both firewalls to the new folder, and then reconfigure HA.
      1. Select SettingsFirewall SetupFolder Management and expand the All Firewalls folder.
      2. Expand the Actions menu and Move.
      3. Select the folder Destination and Move.
    6. Push Config to push your configuration changes.

    Panorama

    Learn how to onbaord ZTP Firewalls to Panorama.
    ZTP Firewalls can be centrally managed using Panorama.
    To start onboarding your ZTP Firewalls to Panorama, follow the guide here.

    © 2025 Palo Alto Networks, Inc. All rights reserved.