Convert traditional 820 firewall to ZTP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Convert traditional 820 firewall to ZTP

L1 Bithead

Hi,

 

Is it possible to redeploy a pair of 820 firewalls and convert those firewalls to the ZTP model?

 

 

6 REPLIES 6

Cyber Elite
Cyber Elite

Hi @smelias ,

 

I can't find anything.  It looks like it is not supported -> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/panorama-features/next-generation-f....  However, the PA-400 Series support ZTP natively.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

Hello,

Please take a look and see if these articles will help answer your questions:

 

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/manage-firewalls/set-up-zero-touch-pr...

 

Regards,

Thanks however it doesn't mention converting a traditional 820 into a 820-ZTP model.

 

Can't we reimage a 820 into an 820-ZTP?

 

Cyber Elite
Cyber Elite

Hi @smelias ,

 

Not through any public documentation that I can find.  That is why I said that I don't think it is supported.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

L5 Sessionator

Hi Team.

 

ZTP firewalls have a slightly different physical architecture than other devices. For example, you can't deploy an 820 ZTP and 820 in an HA pair, even if they have the same licenses. Without digging into proprietary info, you won't be able to reimage a non ZTP 820 into one. That will be a separate appliance. 

Help the community! Add tags and mark solutions please.

L4 Transporter

Sorry, I deleted my last comment, as I thought you were trying to turn a ZTP firewall into a non-ZTP firewall. As I understand it, there is a separate physical chip (or chips) on the ZTP firewalls that is not present on non-ZTP models. ZTP models also have a claim code listed on them, which is needed to activate them w/ the ZTP service. The ZTP service at Palo Alto is expecting to match the serial/cliam key w/ a hash in a database when it connects. There isn't a way to make a non-ZTP device use ZTP.

  • 2871 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!