- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- 5G
- IoT Security
- Prisma SD-WAN
Network Security
- Prisma Access
- Prisma SaaS
- Prisma Cloud
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- ZTP Models can be deployed as a traditional models?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
ZTP Models can be deployed as a traditional models?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-19-2021 07:37 AM
Hello guys, I want to know if someone has seen this behavior with Port Management Configuration on ZTP NGFW Models ... The IP address, Netmask and gateway shows an incorrect value 0.0.0.0 or Unknown, but the CLI shows the correct configuration parameters. We previously performed a "request disable-ztp" besides "Disable Device and Network Template" and "Disable Panorama Policy and Objects" on Panorama Settings. We thought that this behavior is causing problems when we trying to add a PA-3260-ZTP as a managed device on Panorama.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
03-21-2021 03:08 PM
So from th CLI you see that the firewall is configured correctly right and it has full configuration? I also see that you have GUI picture so you can access the managment ip even if the gui shows no IP? I am asking because when I see unknown fo interfaces I do a factory default reset on the firewall but first I save the config snapshot or/and device state (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clkn) and load it again after the reset
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
a month ago
Hi Nikolay
Thanks for your reply. Please let me know if you have seen this behavior of "Unknown Mgmt IP info on GUI" when you're deploying ZTP models in a traditional way. If I reset to factory default a ZTP Model, it comes back to the original ZTP state according to the notes in the procedure "Disable the ZTP state machine on the firewall" and I think the issue is related to this ZTP pre-configured template.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
a month ago - last edited a month ago
We had an issue like that without ZTP deployment but we seen it in the CLI as well so we did factory default reset.
Did you test restarting just the web service or managment server as it seems a GUI issue:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClaGCAS
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POIHCA4
Also you can run Validate Changes to see if the ZTP intoduced a bad config(you may need to make a small change before that to be able to validate)
There is a bug PAN-160870 when deploying the ZTP firewalls in the normal way so you can check it and test the workaround:
Otherwise of that check with the TAC.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
a month ago
Hello Nikolay, thanks for your all advices , we're going to test those suggestions, until we can check with TAC in a Live Meeting. I'll let you know when we have more clues about the issue with these ZTP models.
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
4 weeks ago
Any news about what is the issue as I am also interested in what it could be
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
2 weeks ago
Hello Nikolay
We're still waiting for a fix in the next PAN-OS 9.1 release (9.1.9). Apparently, the WebUI Mgmt "Unknown" Issue is related to bug PAN-156264. This behavior doesn't permit add PAs as a managed devices on Panorama in a traditional way.
We tried the PAN-160870 Workaround to disable ZTP Pre-configuration but it didn't work after reboot the PAs. Using the ZTP plugin to deploy PAs works, but still keeping requiring the ZTP DG and Template configuration to avoid the PAN-160870 issue after finishing the deployment and it does not make much sense to me.
As soon as I have news I'll let you know.
- Json Error when sending POST request to https://api.prismacloud.io/search/config in Prisma Cloud Discussions
- Understanding Panorama Log Ingenstion & Sizing in General Topics
- Migration of Palo Alto VM series from one host to another in General Topics
- A/A vWire Deployment Forwarding MAC Address on HA Links? in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
