03-19-2021
07:37 AM
- last edited on
06-03-2021
07:59 PM
by
icharkashy
Hello guys, I want to know if someone has seen this behavior with Port Management Configuration on ZTP NGFW Models ... The IP address, Netmask and gateway shows an incorrect value 0.0.0.0 or Unknown, but the CLI shows the correct configuration parameters. We previously performed a "request disable-ztp" besides "Disable Device and Network Template" and "Disable Panorama Policy and Objects" on Panorama Settings. We thought that this behavior is causing problems when we trying to add a PA-3260-ZTP as a managed device on Panorama.
03-21-2021 03:08 PM
So from th CLI you see that the firewall is configured correctly right and it has full configuration? I also see that you have GUI picture so you can access the managment ip even if the gui shows no IP? I am asking because when I see unknown fo interfaces I do a factory default reset on the firewall but first I save the config snapshot or/and device state (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clkn) and load it again after the reset 🙂
03-22-2021 09:15 AM
Hi Nikolay
Thanks for your reply. Please let me know if you have seen this behavior of "Unknown Mgmt IP info on GUI" when you're deploying ZTP models in a traditional way. If I reset to factory default a ZTP Model, it comes back to the original ZTP state according to the notes in the procedure "Disable the ZTP state machine on the firewall" and I think the issue is related to this ZTP pre-configured template.
03-22-2021 09:54 AM - edited 03-22-2021 10:20 AM
We had an issue like that without ZTP deployment but we seen it in the CLI as well so we did factory default reset.
Did you test restarting just the web service or managment server as it seems a GUI issue:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaGCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POIHCA4
Also you can run Validate Changes to see if the ZTP intoduced a bad config(you may need to make a small change before that to be able to validate)
There is a bug PAN-160870 when deploying the ZTP firewalls in the normal way so you can check it and test the workaround:
Otherwise of that check with the TAC.
03-22-2021 12:57 PM
Hello Nikolay, thanks for your all advices , we're going to test those suggestions, until we can check with TAC in a Live Meeting. I'll let you know when we have more clues about the issue with these ZTP models.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!