: Register Panorama with the ZTP Service for Existing Deployments
Focus
Focus

Register Panorama with the ZTP Service for Existing Deployments

Table of Contents
End-of-Life (EoL)

Register Panorama with the ZTP Service for Existing Deployments

Register the Panorama™ management server with the ZTP service for existing ZTP deployments.
After you install the ZTP plugin on the Panorama™ management server, you must register Panorama with the ZTP service to enable the ZTP service to associate firewalls with the Panorama. As part of the registration process, add your ZTP firewalls to a device group and template that contain the required ZTP configuration to connect your ZTP firewalls with the ZTP service after they first connect to Panorama.
  1. Log in to the Palo Alto Networks Customer Support Portal (CSP).
  2. Associate your Panorama with the ZTP Service on the Palo Alto Networks CSP.
    The ZTP Service supports associating up to two Panoramas only if they are in a high availability (HA) configuration. If Panorama is not in an HA configuration, only a single Panorama can be associated.
    1. Select
      Assets
      ZTP Service
      and
      Modify Association
      .
    2. Select the serial number of the Panorama managing your ZTP firewalls.
    3. (
      HA only
      ) Select the serial number of the Panorama HA peer.
    4. Click
      OK
      .
  3. Select
    Panorama
    Zero Touch Provisioning
    Setup
    and edit the
    General
    ZTP settings.
  4. Register Panorama with the ZTP service.
    1. Enable ZTP Service
      .
    2. Enter the
      Panorama FQDN or IP Address
      .
      This is the FQDN or public IP address of the Panorama the ZTP plugin is installed on and that the CSP pushes to the ZTP firewalls.
      (
      All ZTP-enabled managed firewalls
      ) Enter the Panorama IP address to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
      If you need to use the Panorama FQDN, configure a static destination route to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
    3. (
      HA only
      ) Enter the
      Peer FQDN or IP Address
      .
      This is the FQDN or public IP address of the Panorama peer on which the ZTP plugin is installed and that the CSP pushes to the ZTP firewalls in case of failover.
      (
      All ZTP-enabled managed firewalls
      ) Enter the Panorama IP address to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
      If you need to use the Panorama FQDN, configure a static destination route to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
    4. Click
      OK
      to save your configuration changes.
  5. Add your ZTP firewalls to the device group and template that will contain the required ZTP configuration.
    1. Select
      Panorama
      Device Groups
      and select the device group that will contain the required ZTP configuration.
    2. Select the ZTP
      Devices
      .
    3. Click
      OK
      to save your configuration changes.
    4. Select
      Panorama
      Templates
      and select the template stack that contains the template that will have the required ZTP configuration.
    5. Select the ZTP
      Devices
      .
    6. Click
      OK
      to save your configuration changes.
  6. Modify your device groups and templates as needed.
    When considering your device group hierarchy and template priority in your template stack, ensure that the device group and template containing the required ZTP configuration that allows the ZTP firewall and Panorama to communicate have priority such that the configuration is not overridden in the event of conflicting configurations.
    1. Configure the Ethernet1/1 interface.
      1. Select
        Network
        Interfaces
        Ethernet
        , select a
        Template
        to contain your ZTP configuration and select
        ethernet1/1
        .
      2. For
        Interface Type
        , select
        Layer3
        .
      3. Select
        Config
        and configure a
        Virtual Router
        and set the
        Security Zone
        to
        Untrust
        .
      4. Select
        IPv4
        and for the
        Type
        , select
        DHCP Client
        .
        A DHCP client is required for the ZTP firewalls to communicate with the ZTP service.
      5. Press
        OK
        to save your configuration changes.
    2. Create the loopback interface
      1. Select
        Network
        Interfaces
        Loopback
        , select a
        Template
        to contain your ZTP configuration and
        Add
        a loopback interface.
      2. For the
        Interface Name
        , enter
        loopback
        and enter the
        900
        suffix.
      3. Select
        Config
        , select a
        Virtual Router
        , and set the
        Security Zone
        to
        Trust
        .
      4. Press
        OK
        to save your configuration changes.
    3. Create the Security policy rule to allow the ZTP firewall and Panorama to communicate.
      1. Select
        Policies
        Security
        Pre Rules
        , select the
        Device Group
        to contain your ZTP policy rules, and
        Add
        a new rule.
      2. Enter a descriptive
        Name
        for the policy rule.
      3. Select
        Source
        Source Zone
        and
        Add
        the
        Trust
        zone.
      4. Select
        Destination
        Destination Zone
        and
        Add
        the
        Untrust
        zone.
      5. Select
        Action
        Action Settings
        Action
        and select
        Allow
        .
    4. Create the NAT policy rule to allow the ZTP firewall and Panorama to communicate.
      1. Select
        Policies
        NAT
        Pre Rules
        , select the
        Device Group
        to contain your ZTP policy rules, and
        Add
        a new rule.
      2. Enter a descriptive
        Name
        for the policy rule.
      3. Select
        Original Packet
        and configure the following:
        1. For the
          Source Zone
          ,
          Add
          the
          Trust
          zone.
        2. For the
          Destination Zone
          , select the
          Untrust
          zone.
        3. For the
          Destination Interface
          , select the
          ethernet1/1
          interface.
      4. Click
        OK
        to save your configuration changes.
  7. Select
    Commit
    and
    Commit to Panorama
  8. Sync to ZTP Service
    and verify that the Panorama Sync Status displays as
    In Sync
    .

Recommended For You