>
    Onboard a ZTNA Connector Using KVM
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access ZTNA Connector
    5. Onboard the ZTNA Connector VM in Your Data Center
    6. KVM Deployments Supported by Prisma Access ZTNA Connector
    7. Onboard a ZTNA Connector Using KVM
    Download PDF
    Prisma Access

    Onboard a ZTNA Connector Using KVM

    Table of Contents

    Onboard a ZTNA Connector Using KVM

    Onboard a ZTNA Connector using Kernel-based Virtual Machine (KVM).
    To onboard a ZTNA Connector using a Kernel-based Virtual Machine (KVM), complete the following steps.
    Before you start, make sure that you have the following prerequisites:
    1. Create a Connector Group and a Connector for the KVM host.
    2. Select WorkflowsZTNA ConnectorConnectors, and find the connector you created for the KVM host, Copy Token in the Status area, and copy the Key and Secret values.
    3. Upload the qcow image you downloaded from the CSP to the KVM host.
    4. If you have not already, build and associate the virtual bridge interfaces on the KVM host and prepare the host by entering the following commands:
      • brctl addbr virbr0
      • brctl addbr virbr0
      • brctl addbr virbr1
      • brctl addif virbr1 ens192
    5. Deploy the VM on the KVM host by running the virt-install command with the following options set:
      • -name is the name of the virtual machine.
      • -vcpu is 4.
      • -memory is 16384 (16 GB).
      • -disk is the location and name of the qcow image on the KVM host.
      • -network references the virtual interfaces to attach to this VM (you need to deploy interfaces for a ZTNA Connector).
      The following is a sample command used to deploy the KVM host, where <kvm-file-name> is the name of the qcow file you downloaded from the CSP:
      virt-install --name ztna-conn-1 --vcpus 4 --memory 16384 --disk ./<kvm-file-name> --import --network bridge=virbr0,model=virtio --network bridge=virbr1,model=virtio
    6. Connect to the VM console by entering the following command:
      virsh console ztna-conn-1
      An interactive CLI install program initiates.
    7. Configure the ION model, key, and secret.
      1. Select 1 (an ION Model of ion 200v) from the choices that display.
        root@ubuntu-kvm-vm:/home/ubuntu-kvm/Desktop# virsh console ztna-conn-1
Connected to domain ztna-conn-1
Escape character is ^]

Select an ION model:
 1) ion 200v
 2) ion 3102v
 3) ion 3104v
 4) ion 3108v
 5) ion 7108v
 6) ion 7116v
 7) ion 7132v
 8) ion 9100v

Choose a Number or (Q)uit: 1
      CPU: Passed (needed 4)
   Memory: Passed (needed 8.0G)
     Disk: Could not verify (needs 40.0G)
  Network: Passed (needed 1)

Select an item to modify, or submit config:
 1) 	Model		: ion 200v
 2) 	ION Key		:
 3) 	Secret Key	:
 4) 	Controller 1	: Controller - DHCP
 5) 	Port 1		: Disabled/Unused
 6) 	Port 2		: Disabled/Unused
 7) 	Port 3		: Disabled/Unused
 8) 	Port 4		: Disabled/Unused
 9) 	Port 5		: Disabled/Unused
 10) 	Port 6		: Disabled/Unused
 11) 	Port 7		: Disabled/Unused
 12) 	Port 8		: Disabled/Unused
 13) 	Port 9		: Disabled/Unused
 14) 	Submit and restart
      2. Input the Key from the connector by selecting option 2 and entering the key you saved from the ZTNA Connector UI. 
        Choose a Number or (Q)uit: 2
Enter ION Key[None]: xxxxxxxxxx-yyyyyyyy-zzz-1234-1234-abcdefghijkl
Select an item to modify, or submit config:
 1) 	Model		: ion 200v
 2) 	ION Key	: xxxxxxxxx-yyyyyyyy-zzz-1234-1234-abcdefghijkl
 3) 	Secret Key	:
 4) 	Controller 1	: Controller - DHCP
 5) 	Port 1		: Disabled/Unused
 6) 	Port 2		: Disabled/Unused
 7) 	Port 3		: Disabled/Unused
 8) 	Port 4		: Disabled/Unused
 9) 	Port 5		: Disabled/Unused
 10) 	Port 6		: Disabled/Unused
 11) 	Port 7		: Disabled/Unused
 12) 	Port 8		: Disabled/Unused
 13) 	Port 9		: Disabled/Unused
 14) 	Submit and restart
      3. Enter the ZTNA Connector secret by selecting option 3 and entering the secret you saved from the ZTNA Connector UI.
        Choose a Number or (Q)uit: 3
Enter ION secret[None]: abcde12345
Select an item to modify, or submit config:
 1) 	Model		: ion 200v
 2) 	ION Key	: xxxxxxxxx-yyyyyyyy-zzz-1234-1234-abcdefghijkl
 3) 	Secret Key	: abcde12345
 4) 	Controller 1	: Controller - DHCP
 5) 	Port 1		: Disabled/Unused
 6) 	Port 2		: Disabled/Unused
 7) 	Port 3		: Disabled/Unused
 8) 	Port 4		: Disabled/Unused
 9) 	Port 5		: Disabled/Unused
 10) 	Port 6		: Disabled/Unused
 11) 	Port 7		: Disabled/Unused
 12) 	Port 8		: Disabled/Unused
 13) 	Port 9		: Disabled/Unused
 14) 	Submit and restart
    8. Configure WAN port optiona.
      1. Select option 5 (Port 1).
        Choose a Number or (Q)uit: 5
Port 1:
 1) 	Role		: Disable
 2) 	Cancel Port changes
 3) 	Apply and return
      2. Select option 1 (Public/WAN).
        Choose a Number or (Q)uit: 1
Select Port Role:
 1) Internet facing port (PublicWAN)
 2) Private WAN port (PrivateWAN)
 3) Bypass Port Pair 1 (WAN Port)
 4) Bypass Port Pair 1 (LAN Port)
 5) Bypass Port Pair 2 (WAN Port)
 6) Bypass Port Pair 2 (LAN Port)
 7) Bypass Port Pair 3 (WAN Port)
 8) Bypass Port Pair 3 (LAN Port)
 9) Bypass Port Pair 4 (WAN Port)
 10) Bypass Port Pair 4 (LAN Port)
 11) Disabled/Unused
      3. (Optional) If you need to set a static IP address, choose option 2 and set the IP address, gateway, and DNS server parameters; otherwise, select 1. 
        Choose a Number or (Q)uit: 1
Port 1:
 1) 	Role		: PublicWAN
 2) 	Config via	: DHCP
 3) 	Cancel Port changes
 4) 	Apply and return
      4. Select option 4 to return to the main menu. 
        Choose a Number or (Q)uit: 4
Select an item to modify, or submit config:
 1) 	Model		: ion 200v
 2) 	ION Key	: xxxxxxxxx-yyyyyyyy-zzz-1234-1234-abcdefghijkl
 3) 	Secret Key	: abcde12345
 4) 	Controller 1	: Controller - DHCP
 5) 	Port 1		: PublicWAN - DHCP
 6) 	Port 2		: Disabled/Unused
 7) 	Port 3		: Disabled/Unused
 8) 	Port 4		: Disabled/Unused
 9) 	Port 5		: Disabled/Unused
 10) 	Port 6		: Disabled/Unused
 11) 	Port 7		: Disabled/Unused
 12) 	Port 8		: Disabled/Unused
 13) 	Port 9		: Disabled/Unused
 14) 	Submit and restart

Select an item to modify, or submit config:
 1) 	Model		: ion 200v
 2) 	ION Key	: xxxxxxxxx-yyyyyyyy-zzz-1234-1234-abcdefghijkl
 3) 	Secret Key	: abcde12345
 4) 	Controller 1	: Controller - DHCP
 5) 	Port 1		: PublicWAN - DHCP
 6) 	Port 2		: Disabled/Unused
 7) 	Port 3		: Disabled/Unused
 8) 	Port 4		: Disabled/Unused
 9) 	Port 5		: Disabled/Unused
 10) 	Port 6		: Disabled/Unused
 11) 	Port 7		: Disabled/Unused
 12) 	Port 8		: Disabled/Unused
 13) 	Port 9		: Disabled/Unused
 14) 	Submit and restart
    9. Configure LAN port options.
      1. Select option 6 (Port 2).
        Choose a Number or (Q)uit: 6
Port 2:
 1) 	Role		: Disable
 2) 	Cancel Port changes
 3) 	Apply and return
      2. Select option 2 (PrivateWAN).
        Choose a Number or (Q)uit: 2
Select Port Role:
 1) Internet facing port (PublicWAN)
 2) Private WAN port (PrivateWAN)
 3) Bypass Port Pair 1 (WAN Port)
 4) Bypass Port Pair 1 (LAN Port)
 5) Bypass Port Pair 2 (WAN Port)
 6) Bypass Port Pair 2 (LAN Port)
 7) Bypass Port Pair 3 (WAN Port)
 8) Bypass Port Pair 3 (LAN Port)
 9) Bypass Port Pair 4 (WAN Port)
 10) Bypass Port Pair 4 (LAN Port)
 11) Disabled/Unused
      3. (Optional) If you need to set a static IP address, choose option 2 and set the IP address, gateway, and DNS server parameters; otherwise, select 1. 
        Choose a Number or (Q)uit: 2
Port 2:
 1) 	Role		: PrivateWAN
 2) 	Config via	: DHCP
 3) 	Cancel Port changes
 4) 	Apply and return
      4. Select option 4 to return to the main menu. 
        Choose a Number or (Q)uit: 4
Select an item to modify, or submit config:
 1) 	Model		: ion 200v
 2) 	ION Key	: xxxxxxxxx-yyyyyyyy-zzz-1234-1234-abcdefghijkl
 3) 	Secret Key	: abcde12345
 4) 	Controller 1	: Controller - DHCP
 5) 	Port 1		: PublicWAN - DHCP
 6) 	Port 2		: PrivateWAN - DHCP
 7) 	Port 3		: Disabled/Unused
 8) 	Port 4		: Disabled/Unused
 9) 	Port 5		: Disabled/Unused
 10) 	Port 6		: Disabled/Unused
 11) 	Port 7		: Disabled/Unused
 12) 	Port 8		: Disabled/Unused
 13) 	Port 9		: Disabled/Unused
 14) 	Submit and restart
    10. Save and reboot the connector.
      Choose a Number or (Q)uit: 14
WARNING! After this configuration is submitted, all hardware will be signed,
logged, and permanently tied to the ION Key/Secret Key in the Prisma SDWAN Cloud
Controller.

WHAT THIS MEANS is that hardware cannot be added/removed (disks, network cards)
after this 'SUBMIT' function. If any hardware changes are required beyond this
'SUBMIT', the ION will need to be re-deployed with a new ION Key and Secret
Key.

If there is a need to add or remove hardware, please answer 'N' below and shut
down the ION and make the changes now.

Submit these changes now?[N]: y
Building configuration...
[VFF:CFG] ZeroTouch Config Starting - config file parser
[VFF:CFG] Attempting to load/parse as Config/INI file.
[VFF:CFG] Successfully Loaded config style file.
[VFF:CFG] Controller 1 successfully set to CONTROLLER/DHCP.
[VFF:CFG] Port 1 successfully set to PUBLICWAN/DHCP.
[VFF:CFG] Port 2 successfully set to PRIVATEWAN/DHCP.
[VFF:CFG] WARN: Port 3 had no config section. Defaulting to Disable.
[VFF:CFG] WARN: Port 4 had no config section. Defaulting to Disable.
[VFF:CFG] WARN: Port 5 had no config section. Defaulting to Disable.
[VFF:CFG] WARN: Port 6 had no config section. Defaulting to Disable.
[VFF:CFG] WARN: Port 7 had no config section. Defaulting to Disable.
[VFF:CFG] WARN: Port 8 had no config section. Defaulting to Disable.
[VFF:CFG] WARN: Port 9 had no config section. Defaulting to Disable.
[VFF:CFG] Success with Config/INI file parser.
[VFF:KVM] Menu config end, continuing normal boot...
Reboot-reason: manufacture

    © 2025 Palo Alto Networks, Inc. All rights reserved.