Zero Touch Provisioning Simplifies Firewall Setup
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Team Member

Zero Touch Provisioning (ZTP) simplifies the setup of next-generation firewalls. Learn more about ZTP and how you can leverage this tool for optimal firewall and Panorama management. Find more answers on LIVEcommunity!

 

 

Zero Touch Provisioning Can Help Simplify Firewall Setup

For your initial deployment of firewalls, specialized IT staff are often required. As you may already know, this typically takes time and resources. With ZTP, you can provision and configure devices automatically, minimizing most of the manual intervention required for adding devices to a network.

 

ZTP refers to the following three steps:

  • Onboarding the firewall
  • Associate the firewall to an account
  • Provisioning the firewall

 

It's supported on the following ZTP firewalls running PAN-OS 9.1.3 and later releases:

  • PA-220-ZTP and PA-220R-ZTP
  • PA-820-ZTP and PA-850-ZTP
  • >PA-3220-ZTP, PA-3250-ZTP, and PA-3260-ZTP

 

The elements of a ZTP configuration work together to allow you to quickly onboard newly deployed ZTP-managed firewalls by automatically adding them to the Panorama management server using the ZTP service. Check out all the ZTP Configuration Elements

 

In order to claim ZTP firewalls for simplified onboarding, you should install the ZTP plugin on your Panorama management server to register Panorama with the ZTP service.

 

Configure the ZTP installer Administrator Account

The ZTP installer admin user is an administrator account created for non-IT staff or installation contractor to onboard new ZTP firewalls. The installer admin uses an automatically created 'installeradmin' admin role to limit visibility into the Panorama web interface and only allow the installer the ability to enter the ZTP firewall claim key and serial number on Panorama.

 

Log in to the web interface of the Panorama management server as a Superuser, Panorama admin, or as the ZTP installer admin to add a ZTP firewall to Panorama. To add the ZTP firewall, you must enter the firewall serial number and claim key provided by Palo Alto Networks, and then register the firewall with the ZTP service. Registering the firewall claims the firewall as an asset in your account in the Customer Support Portal and allows the ZTP service to associate the firewall with the Panorama.

 

NOTE: You can add a single ZTP firewall or import multiple ZTP firewalls to the Panorama management server.

After you successfully add a ZTP firewall to the Panorama management server, configure the target PAN-OS version of the ZTP firewall. Panorama checks whether the PAN-OS version installed on the ZTP firewall is greater than or equal to the configured target PAN-OS version after it successfully connects to Panorama for the first time. If the PAN-OS version installed on the ZTP firewall is less than the target PAN-OS version, the ZTP firewall enters an upgrade cycle until target PAN-OS version is installed.

 

 

For more information, make sure to check out the following articles in TechDocs:

Set Up Zero Touch Provisioning

Upgrade a ZTP firewall 

 

Thanks for taking time to read this blog.

Don't forget to hit that Like (thumbs up) button and don't forget to subscribe to the LIVEcommunity Blog.

 

Stay Secure,
Kiwi out!

1 Comment
L1 Bithead

Hi @kiwi , is there any related material about what are the factory settings for a ZTP firewall? And I was recently questioned by one of our customers if they could use a ZTP as a standalone firewall (I know it kinda misses the whole point but...)? Can you load PAN-OS without the ZTP defaults?

 

Thanks, appreciate the help.

 

Register or Sign-in
Labels
Top Liked Authors