ZTP Configuration Elements

ZTP configuration elements interrelate to simply on-boarding of ZTP managed firewalls.
The following elements work together to allow you to quickly on-board newly deployed ZTP firewalls by automatically adding them to the Panorama management server using the ZTP service.
  • ZTP Plugin
    —The ZTP plugin allows Panorama to connect to the ZTP service and claim a ZTP firewall for simplified on-boarding.
  • Customer Support Portal (CSP)
    —The Palo Alto Networks Customer Support Portal is used to register your Panorama to connect to the CSP to automatically register newly added ZTP firewalls.
  • One-time Password (OTP)
    —A one-time password provided by Palo Alto Networks used to retrieve and install a certificate on Panorama for it to communicate with the CSP and ZTP service.
  • Installer
    —An administrator user created using the
    admin role for ZTP firewall on-boarding. This admin user has limited access to the Panorama web interface, only allowing access to enter the ZTP firewall serial number and claim key to register firewalls on the CSP and Panorama. The installer admin can be created on Panorama or created using remote authentication such as RADIUS, SAML, or TACACS+.
  • Claim Key
    —Eight digit numeric key physically attached to the ZTP firewall used to register the ZTP firewall with the CSP.
  • To-SW-Version
    —Designate the PAN-OS software version of the ZTP firewall (
    Managed Devices
    ). Select the target PAN-OS release, and if the firewall is running an earlier release than the indicated version, the firewall begins an upgrade loop until the target release is successfully installed.
    Panorama can only manage firewalls running a PAN-OS release equal to or less than that installed on the Panorama.
After you successfully install the ZTP plugin on Panorama and register Panorama with the ZTP service, the ZTP on boarding process continues as follows:
  1. Installer or IT administrator registers ZTP firewalls by adding them to Panorama using the firewall serial number and claim key.
  2. Panorama registers the firewalls with the CSP. After the firewalls are successfully registered, the firewall is associated with the same ZTP tenant as the Panorama in the ZTP service.
    ZTP firewalls successfully registered with the ZTP service are automatically added as managed firewalls (
    Managed Devices
    ) on Panorama.
  3. When the firewall connects to the Internet, the ZTP firewall requests a device certificate from the CSP in order to connect to the ZTP service.
  4. The ZTP service pushes the Panorama IP or FQDN to the ZTP firewalls.
  5. The ZTP firewalls connect to Panorama and the device group and template configurations are pushed from Panorama to the ZTP firewalls.

Recommended For You