ZTP Models can be deployed as a traditional models?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

ZTP Models can be deployed as a traditional models?

L1 Bithead

Hello guys, I want to know if someone has seen this behavior with Port Management Configuration on ZTP NGFW Models ... The IP address, Netmask and gateway shows an incorrect value or Unknown, but the CLI shows the correct configuration parameters. We previously performed a "request disable-ztp" besides "Disable Device and Network Template" and "Disable Panorama Policy and Objects" on Panorama Settings. We thought that this behavior is causing problems when we trying to add a PA-3260-ZTP as a managed device on Panorama.





Cyber Elite
Cyber Elite

So from th CLI you see that the firewall is configured correctly right and it has full configuration? I also see that  you have GUI picture so you can access the managment ip even if the gui shows no IP? I am asking because when I see  unknown fo interfaces I do a factory default reset on the firewall but first I save the config snapshot or/and device state (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clkn) and load it again after the reset 🙂

Hi Nikolay


Thanks for your reply. Please let me know if you have seen this behavior of "Unknown Mgmt IP info on GUI" when you're deploying ZTP models in a traditional way. If I reset to factory default a ZTP Model, it comes back to the original ZTP state according to the notes in the procedure "Disable the ZTP state machine on the firewall" and I think the issue is related to this ZTP pre-configured template.



We had an issue like that without ZTP deployment but we seen it in the CLI as well so we did factory default reset.


Did you test restarting just the web service or managment server as it seems a GUI issue:









Also you can run Validate Changes to see if  the ZTP intoduced a bad config(you may need to make a small change before that to be able to validate)






 There is a bug  PAN-160870 when deploying the ZTP firewalls in the normal way so you can check it and test the workaround:






Otherwise of that check with the TAC.

Hello Nikolay, thanks for your all advices , we're going to test those suggestions, until we can check with TAC in a Live Meeting. I'll let you know when we have more clues about the issue with these ZTP models.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!