Register Panorama with the ZTP Service for New Deployments

Register the Panorama™ management server with the ZTP service for new ZTP deployments.
After you install the ZTP plugin on the Panorama™ management server, you must register the Panorama with the ZTP service to enable the ZTP service to associate firewalls with the Panorama. As part of the registration process for ZTP new deployment, automatically generate the device group and template configurations required to connect your ZTP firewalls to the ZTP service. After the device group and template are automatically generated, you must add your ZTP firewalls to the device group and template so they can connect to the ZTP service after they first connect to Panorama.
  1. Log in to the Palo Alto Networks Customer Support Portal (CSP).
  2. Associate your Panorama with the ZTP Service on the Palo Alto Networks Customer Support Portal (CSP).
    The ZTP Service supports associating up to two Panoramas only if they are in a high availability (HA) configuration. If Panorama is not in an HA configuration, only a single Panorama can be associated.
    1. Select
      Assets
      ZTP Service
      and
      Modify Association
      .
    2. Select the serial number of the Panorama managing your ZTP firewalls.
    3. (
      HA only
      ) Select the serial number of the Panorama HA peer.
    4. Click
      OK
      .
  3. Select
    Panorama
    Zero Touch Provisioning
    Setup
    and edit the
    General
    ZTP settings.
  4. Register Panorama with the ZTP service.
    1. Enable ZTP Service
      .
    2. Enter the
      Panorama FQDN or IP Address
      .
      This is the FQDN or public IP address of the Panorama the ZTP plugin is installed on and that ZTP firewalls will connect to.
    3. (
      HA only
      ) Enter the
      Peer FQDN or IP Address
      .
      This is the FQDN or public IP address of the Panorama peer on which the ZTP plugin is installed and that ZTP firewalls will connect to in case of failover.
    4. Click
      OK
      to save your configuration changes.
    ztp-register-panorama.png
  5. Create the default device group and template to automatically generate the required configuration to connect your ZTP firewalls to Panorama.
    Adding the device group and template automatically generates a new device group and template that contain the default configuration to connect the Panorama and the ZTP firewalls.
    1. Add Device Group and Template
      .
    2. Enter the
      Device Group
      name.
    3. Enter the
      Template
      name.
    4. Click
      OK
      to save your configuration changes.
    ztp-add-dg-template.png
  6. Add your ZTP firewalls to the device group and template specified in the previous step.
    1. Select
      Panorama
      Device Groups
      and select the device group that was automatically created.
    2. Select the ZTP
      Devices
      .
    3. Click
      OK
      to save your configuration changes.
    4. Select
      Panorama
      Templates
      and
      Add Stack
      .
    5. In the
      Templates
      section,
      Add
      the template that was automatically generated.
    6. Select the ZTP
      Devices
      .
    7. Click
      OK
      to save your configuration changes.
  7. Verify that the required device group and template configurations generated successfully.
    1. Select
      Network
      Interfaces
      Ethernet
      and select the
      Template
      you created in the previous step.
    2. Verify that
      ethernet1/1
      is configured with an IP Address, Virtual Router, and Security Zone.
    3. Select
      Network
      Interfaces
      Loopback
      and select the
      Template
      you created in the previous step.
    4. Verify that the
      loopback.900
      interface is successfully created.
    5. Select
      Policies
      Security
      Pre Rules
      and select the
      Device Group
      you created in the previous step.
    6. Verify that
      rule1
      is successfully created.
    7. Select
      Policies
      NAT
      Pre Rules
      and select the
      Device Group
      you created in the previous step.
    8. Verify that
      ztp-nat
      is successfully created.
  8. Modify your device groups and templates as needed.
    Create and configure new or existing device groups and templates to complete your deployment.
    When considering your device group hierarchy and template priority in your template stack, ensure that the device group and template containing the required ZTP configuration that allows the ZTP firewall and Panorama to communicate have priority such that the configuration is not overridden in the event of conflicting configurations.
    Do not modify the IP address, virtual router, and Security zone of the
    ethernet1/1
    interface, the
    loopback.900
    loopback interface, the
    rule1
    Security policy rule, or
    ztp-nat
    NAT policy rule. These configurations are required to connect your ZTP firewall to Panorama.
  9. Select
    Commit
    and
    Commit to Panorama
  10. Sync to ZTP Service
    and verify that the Panorama Sync Status displays as
    In Sync
    .
    ztp-register-panorama-verification.png

Recommended For You