Zero Touch Provisioning (ZTP) simplifies the setup of next-generation firewalls. Learn more about ZTP and how you can leverage this tool for optimal firewall and Panorama management. Find more answers on LIVEcommunity!
Zero Touch Provisioning Can Help Simplify Firewall Setup
For your initial deployment of firewalls, specialized IT staff are often required. As you may already know, this typically takes time and resources. With ZTP, you can provision and configure devices automatically, minimizing most of the manual intervention required for adding devices to a network.
ZTP refers to the following three steps:
Onboarding the firewall
Associate the firewall to an account
Provisioning the firewall
It's supported on the following ZTP firewalls running PAN-OS 9.1.3 and later releases:
PA-220-ZTP and PA-220R-ZTP
PA-820-ZTP and PA-850-ZTP
>PA-3220-ZTP, PA-3250-ZTP, and PA-3260-ZTP
The elements of a ZTP configuration work together to allow you to quickly onboard newly deployed ZTP-managed firewalls by automatically adding them to the Panorama management server using the ZTP service. Check out all the ZTP Configuration Elements
The ZTP installer admin user is an administrator account created for non-IT staff or installation contractor to onboard new ZTP firewalls. The installer admin uses an automatically created 'installeradmin' admin role to limit visibility into the Panorama web interface and only allow the installer the ability to enter the ZTP firewall claim key and serial number on Panorama.
Log in to the web interface of the Panorama management server as a Superuser, Panorama admin, or as the ZTP installer admin to add a ZTP firewall to Panorama. To add the ZTP firewall, you must enter the firewall serial number and claim key provided by Palo Alto Networks, and then register the firewall with the ZTP service. Registering the firewall claims the firewall as an asset in your account in the Customer Support Portal and allows the ZTP service to associate the firewall with the Panorama.
NOTE: You can add a single ZTP firewall or import multiple ZTP firewalls to the Panorama management server.
After you successfully add a ZTP firewall to the Panorama management server, configure the target PAN-OS version of the ZTP firewall. Panorama checks whether the PAN-OS version installed on the ZTP firewall is greater than or equal to the configured target PAN-OS version after it successfully connects to Panorama for the first time. If the PAN-OS version installed on the ZTP firewall is less than the target PAN-OS version, the ZTP firewall enters an upgrade cycle until target PAN-OS version is installed.
For more information, make sure to check out the following articles in TechDocs: