Panorama Administrator's Guide
    : Add a ZTP Firewall to Panorama
    Focus
    Download PDF
    Focus
    1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Manage Firewalls
    5. Set Up Zero Touch Provisioning
    6. Add ZTP Firewalls to Panorama
    7. Add a ZTP Firewall to Panorama
    Download PDF

    Panorama Administrator's Guide

    Add a ZTP Firewall to Panorama

    Table of Contents

    Add a ZTP Firewall to Panorama

    Add a ZTP firewall to be managed by the Panorama management server.
    Where Can I Use This?
    What Do I Need?
    • NGFW (Managed by Panorama)
    • Device management license
    • Support license
    • Claim key
    • Auth code
    Log in to the web interface of the Panorama™ management server as a Superuser, Panorama admin, or as the ZTP installer admin to add a ZTP firewall to Panorama. To add the ZTP firewall, you must enter the firewall serial number and claim key provided by Palo Alto Networks and then register the firewall with the ZTP service. Registering the firewall claims the firewall as an asset in your account in the Customer Support Portal and allows the ZTP service to associate the firewall with the Panorama.
    Before you can successfully add a ZTP firewall to Panorama, you must ensure that a Dynamic Host Configuration Protocol (DHCP) server is deployed on the network. A DHCP server is required to successfully onboard a ZTP firewall to Panorama. The ZTP firewall is unable to connect to the Palo Alto Networks ZTP service to facilitate onboarding without a DHCP server.
    Do not power on the ZTP firewall until after you finish all the required installation and setup procedures.
    Do not power on the ZTP firewall until after you finish all the required installation and setup procedures. This causes ZTP onboarding to fail and you must reset the firewall to factory default settings to restart the ZTP onboarding process.
    Migrating a firewall added to Panorama management using ZTP from one Panorama to another is not supported.
    Firewalls onboarded to Panorama management using ZTP do not support high availability (HA) configuration.
    You must disable ZTP on your firewalls to configure them in an HA configuration. After disabling ZTP, add your firewalls as managed devices and set up your firewalls in an active/passive or active/active HA configuration.
    While adding ZTP firewalls to Panorama, do not perform any commits on the ZTP firewall before you verify that the firewall is successfully added to Panorama. Performing a local commit on the ZTP firewall disables ZTP functionality and results in the failure to successfully add the firewall to Panorama.

    11.1

    Add a Zero Touch Provisioning (ZTP) firewall to be managed by the Panorama management server running PAN-OS 11.1.
    2. Add a ZTP firewall to Panorama.
      You must connect the ZTP firewall to the internet using the Eth1/1 interface to successfully register the ZTP firewall with the CSP and push the policy and network configurations.
      1. Select
        Firewall Registration
         and
        Add
         a new ZTP firewall.
      2. Enter the
        Serial Number
         of the ZTP firewall.
      3. Enter the
        Claim Key
         for the ZTP firewall provided by Palo Alto Networks.
        The eight digit numeric claim key is printed on a physical label attached to the back of the ZTP firewall you received from Palo Alto Networks.
      4. Click
        OK
         to save your configuration changes.
      5. Select the newly added ZTP firewall and
        Register
         the firewall.
        When prompted, click
        Yes
         to confirm registering the ZTP firewall.
    3. Verify the firewall successfully registered with the CSP.
      The firewall must successfully register with the CSP to successfully obtain device certificate.
      1. Select
        Registration Status
         and verify that the ZTP firewall successfully registered with the CSP.
      2. Log in to the Panorama Web Interface using admin credentials.
      3. Select
        Panorama
        Managed Devices
        Summary
         and verify that the ZTP firewall is successfully added as a managed firewall.
        The ZTP firewall is listed but has a
        Disconnected
        Device State
        .
        Ensure that the
        To SW Version
         column is configured to the correct PAN-OS version so that the firewall does not upgrade or downgrade unintentionally. ZTP functionality is supported only for PAN-OS 10.0.1 and later releases. Additionally, the PAN-OS version must be the same or an earlier version of the PAN-OS version running on Panorama.
        For more information, see Upgrade a ZTP Firewall.
    4. Add the ZTP firewall to the device group and template stack that contain the required ZTP configuration.
      You must add the ZTP firewall to a device group and template stack for your firewalls to display as
      Connected
       to push policy and network configurations.
      You must keep the ZTP firewall in the ZTP device group and template stack that the ZTP template is associated with. This is required for the firewall to maintain connectivity with Panorama and prevent any unintended configuration reverts on the firewall.
      1. Log in to the Panorama Web Interface using admin credentials.
      2. Select
        Panorama
        Managed Devices
        Summary
        .
      3. Select the ZTP firewalls you added and registered in the previous step and
        Reassociate
        .
      4. Select the ZTP
        Device Group
         and
        Template Stack
        .
      5. Check (enable)
        Auto Push on 1st Connect
         to automatically push the device group and template stack configurations when the ZTP firewall successfully connects to Panorama for the first time.
      6. (
        Optional
        ) Specify the
        To SW Version
         to automatically upgrade your firewalls to a more recent PAN-OS version.
        Ensure that the
        To SW Version
         column is configured to the correct PAN-OS version so that the firewall does not upgrade or downgrade unintentionally. ZTP functionality is supported only for PAN-OS 10.0.1 and later releases. Additionally, the PAN-OS version must be the same or an earlier version of the PAN-OS version running on Panorama.
        For more information, see Upgrade a ZTP Firewall.
      7. Commit
         and
        Commit to Panorama
    5. Power on the ZTP firewall.
      Wait for the ZTP firewall to finish powering on. On Panorama, select
      Panorama
      Managed Devices
      Summary
       and verify that the ZTP firewall is now
      Connected
      .
    6. Complete setting up the newly onboarded firewall.
      3. Install the latest dynamic content updates on the managed firewall.
        1. Select
          Panorama
          Device Deployment
          Dynamic Updates
           and
          Check Now
           for the latest updates
        2. Download
           the latest dynamic content release version.
        3. Install
           and select the newly added firewalls.
          Click
          OK
           when prompted.
      4. (
        Optional
        ) Upgrade the managed firewall as needed.

    11.2 and Later

    Add a Zero Touch Provisioning (ZTP) firewall to be managed by the Panorama management server running PAN-OS 11.2 and later releases.
    2. Add a ZTP firewall to Panorama.
      You must connect the ZTP firewall to the internet using the Eth1/1 interface to successfully register the ZTP firewall with the CSP and push the policy and network configurations.
      1. Select
        Firewall Registration
         and
        Add
         a new ZTP firewall.
      2. Enter the
        Serial Number
         of the ZTP firewall.
      3. Enter the
        Claim Key
         for the ZTP firewall provided by Palo Alto Networks.
        The eight digit numeric claim key is printed on a physical label attached to the back of the ZTP firewall you received from Palo Alto Networks.
      4. Enter the
        Auth Code
         for the ZTP to activate licenses on the firewall after it successfully connects to Panorama for the first time.
      5. Click
        OK
         to save your configuration changes.
      6. Select the newly added ZTP firewall and
        Register
         the firewall.
        When prompted, click
        Yes
         to confirm registering the ZTP firewall.
    3. Verify the firewall successfully registered with the CSP.
      The firewall must successfully register with the CSP to successfully obtain the device certificate.
      1. Select
        Registration Status
         and verify that the ZTP firewall successfully registered with the CSP.
      2. Log in to the Panorama Web Interface using admin credentials.
      3. Select
        Panorama
        Managed Devices
        Summary
         and verify that the ZTP firewall is successfully added as a managed firewall.
    4. Add the ZTP firewall to the device group and template stack that contain the required ZTP configuration.
      You must add the ZTP firewall to a device group and template stack for your firewalls to display as
      Connected
       to push policy and network configurations.
      You must keep the ZTP firewall in the ZTP device group and template stack that the ZTP template is associated with. This is required for the firewall to maintain connectivity with Panorama and prevent any unintended configuration reverts on the firewall.
      1. Log in to the Panorama Web Interface using admin credentials.
      2. Select
        Panorama
        Managed Devices
        Summary
        .
      3. Select the ZTP firewalls you added and registered in the previous step and
        Reassociate
        .
      4. Select the ZTP
        Device Group
         and
        Template Stack
        .
      5. Check (enable)
        Auto Push on 1st Connect
         to automatically push the device group and template stack configurations when the ZTP firewall successfully connects to Panorama for the first time.
      6. (
        Optional
        ) Specify the
        To SW Version
         to automatically upgrade your firewalls to a more recent PAN-OS version.
        Ensure that the
        To SW Version
         column is configured to the correct PAN-OS version so that the firewall does not upgrade or downgrade unintentionally. ZTP functionality is supported only for PAN-OS 10.0.1 and later releases. Additionally, the PAN-OS version must be the same or an earlier version of the PAN-OS version running on Panorama.
        For more information, see Upgrade a ZTP Firewall.
      7. Commit
         and
        Commit to Panorama
    5. Power on the ZTP firewall.
      Wait for the ZTP firewall to finish powering on. On Panorama, select
      Panorama
      Managed Devices
      Summary
       and verify that the ZTP firewall is now
      Connected
      .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.