: Next-Generation Firewalls for Zero Touch Provisioning
Focus
Focus

Next-Generation Firewalls for Zero Touch Provisioning

Table of Contents

Next-Generation Firewalls for Zero Touch Provisioning

Leverage Zero Touch Provisioning (ZTP) to automate the on-boarding of new firewalls to the Panorama™ management server.
Zero Touch Provisioning (ZTP) is designed to simplify and automate the on-boarding of new firewalls to the Panorama™ management server. ZTP streamlines the initial firewall deployment process by allowing network administrators to ship managed firewalls directly to their branches and automatically add the firewall to the Panorama™ management server after the ZTP firewall successfully connects to the Palo Alto Networks ZTP service. This allows businesses to save on time and resources when deploying new firewalls at branch locations by removing the need for IT administrators to manually provision the new managed firewall. After successful on-boarding, Panorama provides the means to configure and manage your ZTP configuration and firewalls.
ZTP is supported on the following ZTP firewalls running PAN-OS 9.1.3 and later releases:
  • PA-220-ZTP and PA-220R-ZTP
  • PA-820-ZTP and PA-850-ZTP
  • PA-3220-ZTP, PA-3250-ZTP, and PA-3260-ZTP
  1. Log in to the Panorama web interface as a superuser or Panorama administrator with access to Panorama plugins (
    Panorama
    Plugins
    ).
  2. Select
    Panorama
    Plugins
    to
    Download
    and
    Install
    the most recent version of the
    ztp
    plugin.
  3. Register Panorama with the ZTP service.
    1. Select
      Panorama
      Zero Touch Provisioning
      Setup
      and edit the
      General
      ZTP settings.
    2. Enter the
      Panorama FQDN or IP Address
      .
    3. (
      HA only
      ) Enter the
      Peer FQDN or IP Address
      .
    4. Click
      OK
      to save your configuration changes.
  4. Create the default device group and template to automatically generate the required configuration to connect your ZTP firewalls to Panorama.
    1. Add Device Group and Template
      .
    2. Enter the
      Device Group
      name.
    3. Enter the
      Template
      name.
    4. Click
      OK
      to save your configuration changes.
  5. Select
    Commit
    and
    Commit to Panorama
    .
  6. Select
    Panorama
    Zero Touch Provisioning
    and
    Sync to ZTP Service
    .
  7. Configure the ZTP installer administrator account.
    1. Select
      Panorama
      Administrators
      and
      Add
      a new admin user.
    2. Enter a
      Name
      and
      Password
      for the ZTP installer admin.
    3. For the
      Administrator Type
      , select
      Custom Panorama Admin
      .
    4. For the
      Profile
      , select
      installeradmin
      .
    5. Click
      OK
      to save your configuration changes.
    6. Select
      Commit
      and
      Commit to Panorama
      .
  8. Add ZTP firewalls to Panorama.
    1. Log in to the Panorama web interface as the ZTP installer admin.
    2. Select
      Firewall Registration
      and
      Add
      a new ZTP firewall.
    3. Enter the
      Serial Number
      of the ZTP firewall.
    4. Enter the
      Claim Key
      for the ZTP firewall.
    5. Click
      OK
      to save your configuration changes.
    6. Select and
      Register
      the newly added ZTP firewall.
    7. When prompted, click
      Yes
      to confirm registering the ZTP firewall.

Recommended For You