ZTP configuration elements interrelate to simply on-boarding
of ZTP managed firewalls.
The following elements work together
to allow you to quickly on-board newly deployed ZTP firewalls by
automatically adding them to the Panorama management server using
the ZTP service.
—The ZTP plugin allows Panorama to connect
to the ZTP service and claim a ZTP firewall for simplified on-boarding.
Customer Support Portal (CSP)
—The Palo Alto Networks Customer Support Portal is used to register
your Panorama to connect to the CSP to automatically register newly
added ZTP firewalls.
One-time Password (OTP)
—A one-time password provided
by Palo Alto Networks used to retrieve and install a certificate
on Panorama for it to communicate with the CSP and ZTP service.
—An administrator user created using the
role for ZTP firewall on-boarding. This admin user has limited access
to the Panorama web interface, only allowing access to enter the
ZTP firewall serial number and claim key to register firewalls on
the CSP and Panorama. The installer admin can be created on Panorama
or created using remote authentication such as RADIUS, SAML, or
—Eight digit numeric key physically attached
to the ZTP firewall used to register the ZTP firewall with the CSP.
—Designate the PAN-OS software version
of the ZTP firewall (
Select the target PAN-OS release, and if the firewall is running
an earlier release than the indicated version, the firewall begins
an upgrade loop until the target release is successfully installed.
can only manage firewalls running a PAN-OS release equal to or less
than that installed on the Panorama.