Register Panorama with the ZTP Service for Existing Deployments

After you install the ZTP plugin on the Panorama™ management server, you must register Panorama with the ZTP service to enable the ZTP service to associate firewalls with the Panorama. As part of the registration process, add your ZTP firewalls to a device group and template that contain the required ZTP configuration to connect your ZTP firewalls with the ZTP service after they first connect to Panorama.

Install the Panorama Device Certificate.

Associate your Panorama with the ZTP Service on the Palo Alto Networks CSP.

The ZTP Service supports associating up to two Panoramas only if they are in a high availability (HA) configuration. If Panorama is not in an HA configuration, only a single Panorama can be associated.

Select

Assets

ZTP Service

and

Modify Association

Select the serial number of the Panorama managing your ZTP firewalls.

(HA only) Select the serial number of the Panorama HA peer.

Click

Select

Panorama

Zero Touch Provisioning

Setup

and edit the

General

ZTP settings.

Enable ZTP Service

Enter the

Panorama FQDN or IP Address

This is the FQDN or public IP address of the Panorama the ZTP plugin is installed on and that the CSP pushes to the ZTP firewalls.

(All ZTP-enabled managed firewalls) Enter the Panorama IP address to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.

If you need to use the Panorama FQDN, configure a static destination route to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.

(HA only) Enter the

Peer FQDN or IP Address

This is the FQDN or public IP address of the Panorama peer on which the ZTP plugin is installed and that the CSP pushes to the ZTP firewalls in case of failover.

(All ZTP-enabled managed firewalls) Enter the Panorama IP address to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.

If you need to use the Panorama FQDN, configure a static destination route to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.

Click

to save your configuration changes.

Add your ZTP firewalls to the device group and template that will contain the required ZTP configuration.

Select

Panorama

Device Groups

and select the device group that will contain the required ZTP configuration.

Select the ZTP

Devices

Click

to save your configuration changes.

Select

Panorama

Templates

and select the template stack that contains the template that will have the required ZTP configuration.

Select the ZTP

Devices

Click

to save your configuration changes.

Modify your device groups and templates as needed.

When considering your device group hierarchy and template priority in your template stack, ensure that the device group and template containing the required ZTP configuration that allows the ZTP firewall and Panorama to communicate have priority such that the configuration is not overridden in the event of conflicting configurations.

Configure the Ethernet1/1 interface.

Select

Network

Interfaces

Ethernet

, select a

Template

to contain your ZTP configuration and select

ethernet1/1

For

Interface Type

, select

Layer3

Select

Config

and configure a

Virtual Router

and set the

Security Zone

Untrust

Select

IPv4

and for the

Type

, select

DHCP Client

A DHCP client is required for the ZTP firewalls to communicate with the ZTP service.

Press

to save your configuration changes.

Create the loopback interface

Select

Network

Interfaces

Loopback

, select a

Template

to contain your ZTP configuration and

Add

a loopback interface.

For the

Interface Name

, enter

loopback

and enter the

900

suffix.

Select

Config

, select a

Virtual Router

, and set the

Security Zone

Trust

Press

to save your configuration changes.

Create the Security policy rule to allow the ZTP firewall and Panorama to communicate.

Select

Policies

Security

Pre Rules

, select the

Device Group

to contain your ZTP policy rules, and

Add

a new rule.

Enter a descriptive

Name

for the policy rule.

Select

Source

Source Zone

and

Add

the

Trust

zone.

Select

Destination

Destination Zone

and

Add

the

Untrust

zone.

Select

Action

Action Settings

Action

and select

Allow

Create the NAT policy rule to allow the ZTP firewall and Panorama to communicate.

Select

Policies

NAT

Pre Rules

, select the

Device Group

to contain your ZTP policy rules, and

Add

a new rule.

Enter a descriptive

Name

for the policy rule.

Select

Original Packet

and configure the following:

For the

Source Zone

Add

the

Trust

zone.

For the

Destination Zone

, select the

Untrust

zone.

For the

Destination Interface

, select the

ethernet1/1

interface.

Click

to save your configuration changes.

Select

Commit

and

Commit to Panorama

Sync to ZTP Service

and verify that the Panorama Sync Status displays as

In Sync

Document:Panorama Administrator's Guide

Register Panorama with the ZTP Service for Existing Deployments

Register Panorama with the ZTP Service for Existing Deployments

Recommended For You

Document:Panorama Administrator's Guide

Register Panorama with the ZTP Service for Existing Deployments

Register Panorama with the ZTP Service for Existing Deployments

Recommended For You

Recommended Videos