ZTP configuration elements interrelate to simply on-boarding
of ZTP managed firewalls.
The following elements work together
to allow you to quickly on-board newly deployed ZTP firewalls by
automatically adding them to the Panorama management server using
the ZTP service.
—The ZTP plugin allows Panorama to connect
to the ZTP service and claim a ZTP firewall for simplified on-boarding.
Customer Support Portal (CSP)
—The Palo Alto Networks Customer Support Portal is used to register your
Panorama to connect to the CSP to automatically register newly added
One-time Password (OTP)
—A one-time password provided
by Palo Alto Networks used to retrieve and install a certificate
on Panorama for it to communicate with the CSP and ZTP service.
—An administrator user created using the
role for ZTP firewall on-boarding. This admin user has limited access
to the Panorama web interface, only allowing access to enter the
ZTP firewall serial number and claim key to register firewalls on
the CSP and Panorama. The installer admin can be created on Panorama
or created using remote authentication such as RADIUS, SAML, or
—Eight digit numeric key physically attached
to the ZTP firewall used to register the ZTP firewall with the CSP.
—Designate the PAN-OS software version
of the ZTP firewall (
Select the target PAN-OS release, and if the firewall is running
an earlier release than the indicated version, the firewall begins
an upgrade loop until the target release is successfully installed.
can only manage firewalls running a PAN-OS release equal to or less
than that installed on the Panorama.
To leverage ZTP, the administrator must first install the ZTP
plugin on Panorama and register Panorama with the ZTP service. After
registering Panorama, you can ship your ZTP firewalls directly to
the branch location where they can be installed and connected to
the internet using the ZTP installer administrative user. To complete
the on-boarding, the ZTP firewall must be registered with the claim
key and serial number provided by Palo Alto Networks to add the
firewall as a managed device on Panorama and complete new ZTP firewall deployment.