: Register Panorama with the ZTP Service for New Deployments
Focus
Focus

Register Panorama with the ZTP Service for New Deployments

Table of Contents
End-of-Life (EoL)

Register Panorama with the ZTP Service for New Deployments

Register the Panorama™ management server with the ZTP service for new ZTP deployments.
After you install the ZTP plugin on the Panorama™ management server, you must register the Panorama with the ZTP service to enable the ZTP service to associate firewalls with the Panorama. As part of the registration process for ZTP new deployment, automatically generate the device group and template configurations required to connect your ZTP firewalls to the ZTP service. After the device group and template are automatically generated, you must add your ZTP firewalls to the device group and template so they can connect to the ZTP service after they first connect to Panorama.
  1. Log in to the Palo Alto Networks Customer Support Portal (CSP).
  2. Associate your Panorama with the ZTP Service on the Palo Alto Networks CSP.
    The ZTP Service supports associating up to two Panoramas only if they are in a high availability (HA) configuration. If Panorama is not in an HA configuration, only a single Panorama can be associated.
    1. Select AssetsZTP Service and Associate Panorama(s).
    2. Select the serial number of the Panorama managing your ZTP firewalls.
    3. (HA only) Select the serial number of the Panorama HA peer.
    4. Click OK.
  3. Select PanoramaZero Touch ProvisioningSetup and edit the General ZTP settings.
  4. Register Panorama with the ZTP service.
    1. Enable ZTP Service.
    2. Enter the Panorama FQDN or IP Address.
      This is the FQDN or public IP address of the Panorama the ZTP plugin is installed on and that the CSP pushes to the ZTP firewalls.
      (Managed firewalls running PAN-OS 10.1.4 and earlier releases) Enter the Panorama IP address to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
      If you need to use the Panorama FQDN, configure a static destination route to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
    3. (HA only) Enter the Peer FQDN or IP Address.
      This is the FQDN or public IP address of the Panorama peer on which the ZTP plugin is installed and that the CSP pushes to the ZTP firewalls in case of failover.
      (Managed firewalls running PAN-OS 10.1.4 and earlier releases) Enter the Panorama IP address to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
      If you need to use the Panorama FQDN, configure a static destination route to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
    4. Click OK to save your configuration changes.
  5. Create the default device group and template to automatically generate the required configuration to connect your ZTP firewalls to Panorama.
    Adding the device group and template automatically generates a new device group and template that contain the default configuration to connect the Panorama and the ZTP firewalls.
    Palo Alto Networks recommends giving the ZTP device group and template a descriptive name that makes their purpose clear. Unintentionally modifying the default ZTP configuration results in connectivity issues if you want to re-use the device group and template to onboard new ZTP firewalls in the future.
    1. Add Device Group and Template.
    2. Enter the Device Group name.
    3. Enter the Template name.
    4. Click OK to save your configuration changes.
  6. Modify the ZTP device group, templates, and template stack as needed.
    Moving a ZTP firewall to a different device group or template stack is not supported. You must keep the ZTP firewalls in the ZTP device group and template stack that includes the ZTP template that were created. This is required for the firewall to maintain connectivity with Panorama and prevent any unintended configuration reverts on the firewall.
    When considering your device group hierarchy and template priority in your template stack, ensure that the device group and template containing the required ZTP configuration that allows the ZTP firewall and Panorama to communicate have priority such that the configuration is not overridden in the event of conflicting configurations.
    If modifying the ZTP device group and template used to onboard the ZTP firewall, be careful to not modify any of the ZTP configuration that was automatically populated when you created the device group and template in the previous step. This includes configurations like the Panorama IP address, virtual router, the ethernet1/1 interface, Security zone of the ethernet1/1 interface, the loopback.900 loopback interface, the rule1 Security policy rule, ztp-nat NAT policy rule, and the service route. These configurations are required to connect your ZTP firewall to Panorama and can lead to connectivity issues if modified.
  7. Select Commit and Commit to Panorama
  8. Sync to ZTP Service and verify that the Panorama Sync Status displays as In Sync.