ZTP Configuration Elements

ZTP configuration elements interrelate to simply on-boarding of ZTP managed firewalls.
The elements of a ZTP configuration work together to allow you to quickly on-board newly deployed ZTP managed firewalls by adding automatically adding them to the Panorama management server using the ZTP service.
  • ZTP Service
    —Downloaded as a plugin on Panorama, the ZTP service allows Panorama to claim a ZTP firewall for simplified on-boarding.
  • Customer Support Portal (CSP)
    —The Palo Alto Networks Customer Support Portal is used to register your Panorama to connect to the CSP to automatically register newly added ZTP firewalls.
  • One-time Password (OTP)
    —A one-time password provided by Palo Alto Networks used to retrieve and install the ZTP firewall device certificate from the CSP.
  • Installer
    —An administrator user created using the
    admin role for ZTP firewall on-boarding. This admin user has limited access to the Panorama web interface, only allowing access to enter the ZTP firewall serial number and claim key to register firewalls on the CSP and Panorama. The installer admin can be created on Panorama or created using remote authentication such as RADIUS, SAML, or TACACS+.
  • Claim Key
    —Eight digit numeric key physically attached to the ZTP firewall used to register the ZTP firewall with the CSP.
  • To-SW-Version
    —Designate the PAN-OS software version of the ZTP firewall (
    Managed Devices
    ). Select the target PAN-OS release, and if the firewall is running an earlier release than the indicated version, the firewall begins an upgrade loop until the target release is successfully installed.
    Panorama can only manage firewalls running a PAN-OS release equal to or less than that installed on the Panorama.
To leverage ZTP, the administrator must first install the ZTP plugin on Panorama and register Panorama with the ZTP service. After registering Panorama, you can ship your ZTP firewalls directly to the branch location where they can be installed and connected to the internet using the ZTP installer administrative user. To complete the on-boarding, the ZTP firewall must be registered with the claim key and serial number provided by Palo Alto Networks to add the firewall as a managed device on Panorama and complete new ZTP firewall deployment.

Recommended For You