topic Re: PA1410 new install with ZTP disabled but still has ztp references. in General Topics

PA1410 new install with ZTP disabled but still has ztp references.

PA_nts — Wed, 08 May 2024 13:48:24 GMT

Hi All,

so we are in the process of deploying a few brand new PA 1410's out the box.

during initial bootup the field engineer connects with the console cable, and is then asked to install either ZTP mode or standard mode.

engineer selects standard mode and proceed.. all good.

once mgmt IP is configured i can then connect remotely and do the config.

however, i noticed that there are ztp based config auto configured.. the palo (pan-os 11.0.0 out the box) installs a loopback.900 interface with a 100.64.x.x ip and a ztp vr route

the service route is also set to custom and i cannot set it to default. i have to change the custom routes individually to default else it tries to talk from the loopback interface.

i checked also in the cli using 'show system ztp status' and it is showing as being disabled.

is it normal that it adds some ztp config into the base config or is it maybe a bit buggy?

so now i have to try and work around the ztp config and override the settings to make changes. bit of a headache.

any ideas?

have included some screenshots fyi

thanks in adv

Re: PA1410 new install with ZTP disabled but still has ztp references.

TomYoung — Wed, 08 May 2024 17:39:34 GMT

Hi @PA_nts ,

I ran into the same issue a little while ago. Issuing the commands in step 3 should remove the configuration for you.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001UiOCAU&lang=en_US%E2%80%A9

It used to be that disabling ZTP was all you needed. Weird. This may be a PAN-OS 11 thing.

Thanks,

Tom

Re: PA1410 new install with ZTP disabled but still has ztp references.

PA_nts — Thu, 09 May 2024 06:17:29 GMT

Hi Tom,

Awesome thanks that worked.. using the following commands in step 3:

admin@FW1> set system setting template enable
Template already enabled
admin@FW-1> set system setting template disable
Template disabled
admin@FW-1> set system setting shared-policy enable
Shared policy already enabled
admin@FW-1> set system setting shared-policy disable
Shared policy disabled
admin@FW-1>

I was not able to force a commit on CLI.. as the service route still had references to the loopback.

so I just logged in via GUI again, changed the service route to use mgmt interface for all and was able to commit the policy. but this was on 1/2 FWs only.. the other one was fine. so definitely something weird on 11.0.0 going on.

we are doing 2 more over the next couple of days.. will try and see how it works on these and post anything of interest.

thanks

Re: PA1410 new install with ZTP disabled but still has ztp references.

PA_nts — Thu, 09 May 2024 12:59:15 GMT

update on this..

so today we deployed another FW out the box.. same process, however this time at first logon I did the step3 commands.. all worked but still unable to commit as it removed the interface configs etc and was complaining about invalid config when commiting...

workaround was to manually add an interface on the device and created a new zone.. once done I was able to commit the policy..

after that I did the device registration, license and content downloads followed by pan-os upgrade.

seems to be ok now and ready for action.