Panorama Administrator's Guide
    : 11.2 and Later
    Focus
    Download PDF
    Focus
    1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Manage Firewalls
    5. Set Up Zero Touch Provisioning
    6. Add ZTP Firewalls to Panorama
    7. Add a ZTP Firewall to Panorama
    8. 11.2 and Later
    Download PDF

    Panorama Administrator's Guide

    11.2 and Later

    Table of Contents

    11.2 and Later

    Add a Zero Touch Provisioning (ZTP) firewall to be managed by the Panorama management server running PAN-OS 11.2 and later releases.
    1. Log in to the Panorama Web Interface.
    2. Add a ZTP firewall to Panorama.
      You must connect the ZTP firewall to the internet using the Eth1/1 interface to successfully register the ZTP firewall with the CSP and push the policy and network configurations.
      1. Select Firewall Registration and Add a new ZTP firewall.
      2. Enter the Serial Number of the ZTP firewall.
      3. Enter the Claim Key for the ZTP firewall provided by Palo Alto Networks.
        The eight digit numeric claim key is printed on a physical label attached to the back of the ZTP firewall you received from Palo Alto Networks.
      4. Enter the Auth Code for the ZTP to activate licenses on the firewall after it successfully connects to Panorama for the first time.
      5. Click OK to save your configuration changes.
      6. Select the newly added ZTP firewall and Register the firewall.
        When prompted, click Yes to confirm registering the ZTP firewall.
    3. Verify the firewall successfully registered with the CSP.
      The firewall must successfully register with the CSP to successfully obtain the device certificate.
      1. Select Registration Status and verify that the ZTP firewall successfully registered with the CSP.
      2. Log in to the Panorama Web Interface using admin credentials.
      3. Select PanoramaManaged DevicesSummary and verify that the ZTP firewall is successfully added as a managed firewall.
    4. Add the ZTP firewall to the device group and template stack that contain the required ZTP configuration.
      You must add the ZTP firewall to a device group and template stack for your firewalls to display as Connected to push policy and network configurations.
      You must keep the ZTP firewall in the ZTP device group and template stack that the ZTP template is associated with. This is required for the firewall to maintain connectivity with Panorama and prevent any unintended configuration reverts on the firewall.
      1. Log in to the Panorama Web Interface using admin credentials.
      2. Select PanoramaManaged DevicesSummary.
      3. Select the ZTP firewalls you added and registered in the previous step and Reassociate.
      4. Select the ZTP Device Group and Template Stack.
      5. Check (enable) Auto Push on 1st Connect to automatically push the device group and template stack configurations when the ZTP firewall successfully connects to Panorama for the first time.
      6. (Optional) Specify the To SW Version to automatically upgrade your firewalls to a more recent PAN-OS version.
        Ensure that the To SW Version column is configured to the correct PAN-OS version so that the firewall does not upgrade or downgrade unintentionally. ZTP functionality is supported only for PAN-OS 10.0.1 and later releases. Additionally, the PAN-OS version must be the same or an earlier version of the PAN-OS version running on Panorama.
        For more information, see Upgrade a ZTP Firewall.
      7. Commit and Commit to Panorama
    5. Power on the ZTP firewall.
      Wait for the ZTP firewall to finish powering on. On Panorama, select PanoramaManaged DevicesSummary and verify that the ZTP firewall is now Connected.

    © 2024 Palo Alto Networks, Inc. All rights reserved.