05-08-2024 06:48 AM
Hi All,
so we are in the process of deploying a few brand new PA 1410's out the box.
during initial bootup the field engineer connects with the console cable, and is then asked to install either ZTP mode or standard mode.
engineer selects standard mode and proceed.. all good.
once mgmt IP is configured i can then connect remotely and do the config.
however, i noticed that there are ztp based config auto configured.. the palo (pan-os 11.0.0 out the box) installs a loopback.900 interface with a 100.64.x.x ip and a ztp vr route
the service route is also set to custom and i cannot set it to default. i have to change the custom routes individually to default else it tries to talk from the loopback interface.
i checked also in the cli using 'show system ztp status' and it is showing as being disabled.
is it normal that it adds some ztp config into the base config or is it maybe a bit buggy?
so now i have to try and work around the ztp config and override the settings to make changes. bit of a headache.
any ideas?
have included some screenshots fyi
thanks in adv
05-08-2024 10:39 AM
Hi @PA_nts ,
I ran into the same issue a little while ago. Issuing the commands in step 3 should remove the configuration for you.
It used to be that disabling ZTP was all you needed. Weird. This may be a PAN-OS 11 thing.
Thanks,
Tom
05-08-2024 10:39 AM
Hi @PA_nts ,
I ran into the same issue a little while ago. Issuing the commands in step 3 should remove the configuration for you.
It used to be that disabling ZTP was all you needed. Weird. This may be a PAN-OS 11 thing.
Thanks,
Tom
05-08-2024 11:17 PM
Hi Tom,
Awesome thanks that worked.. using the following commands in step 3:
admin@FW1> set system setting template enable
Template already enabled
admin@FW-1> set system setting template disable
Template disabled
admin@FW-1> set system setting shared-policy enable
Shared policy already enabled
admin@FW-1> set system setting shared-policy disable
Shared policy disabled
admin@FW-1>
I was not able to force a commit on CLI.. as the service route still had references to the loopback.
so I just logged in via GUI again, changed the service route to use mgmt interface for all and was able to commit the policy. but this was on 1/2 FWs only.. the other one was fine. so definitely something weird on 11.0.0 going on.
we are doing 2 more over the next couple of days.. will try and see how it works on these and post anything of interest.
thanks
05-09-2024 05:59 AM
update on this..
so today we deployed another FW out the box.. same process, however this time at first logon I did the step3 commands.. all worked but still unable to commit as it removed the interface configs etc and was complaining about invalid config when commiting...
workaround was to manually add an interface on the device and created a new zone.. once done I was able to commit the policy..
after that I did the device registration, license and content downloads followed by pan-os upgrade.
seems to be ok now and ready for action.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
