Panorama Administrator's Guide
    : Configure ZTP for Firewalls in HA
    Focus
    Download PDF
    Focus
    1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Manage Firewalls
    5. Set Up Zero Touch Provisioning
    6. Configure ZTP for Firewalls in HA
    Download PDF

    Panorama Administrator's Guide

    Configure ZTP for Firewalls in HA

    Table of Contents

    Configure ZTP for Firewalls in HA

    ZTP enables automatic configuration of firewalls without manual intervention while maintaining security policy consistency. You can configure ZTP for HA configurations.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama)
    • Device management license
    • Support license
    • Claim key
    • Auth code
    For high availability environments, ZTP supports configurations with both the paired Panorama appliances and firewalls, ensuring continuity of management capabilities. The system requires proper network connectivity between Panorama, the ZTP Service, and the firewalls being provisioned.
    Before you can successfully add a ZTP firewall to Panorama, you must ensure that a Dynamic Host Configuration Protocol (DHCP) server is deployed on the network. A DHCP server is required to successfully onboard a ZTP firewall to Panorama. The ZTP firewall is unable to connect to the Palo Alto Networks ZTP service to facilitate onboarding without a DHCP server.
    For ZTP firewalls in an HA configuration, you must use the ethernet0 interface for management operations. ZTP supports only active/passive HA configurations and not active/active HA configurations.
    1. Configure Panorama for the ZTP Service.
      1. Log in to the Panorama web interface as a Superuser or Panorama administrator.
      2. Install the Panorama Device Certificate.
      3. Install the ZTP Plugin.
    2. Log in to the Palo Alto Networks Customer Support Portal (CSP).
    3. Associate your Panorama with the ZTP Service on the Palo Alto Networks CSP.
    4. Log in to the Panorama web interface again.
    5. Select PanoramaZero Touch ProvisioningSetup and edit the General ZTP settings.
    6. Register Panorama with the ZTP service.
    7. Add the ZTP firewalls (active peer) to Panorama.
      1. Select Zero Touch ProvisioningFirewall Registration and click Add.
      2. Enter the Serial Number of the ZTP firewall.
      3. Enter the Claim Key for the ZTP firewall provided by Palo Alto Networks. The eight-digit numeric claim key is printed on a physical label attached to the back of the ZTP firewall you received from Palo Alto Networks.
      4. Click OK to save your configuration changes.
      5. Select the newly added ZTP firewall and Register the firewall.
      6. When prompted, click Yes to confirm registering the ZTP firewall.
    8. Add the ZTP firewalls (passive peer) to Panorama.
      Repeat step 7.
    9. Verify the firewall successfully registered with the CSP.
      Select Registration Status and verify that the ZTP firewall successfully registered with the CSP.
      Registration is required to obtain the device certificate.
    10. (Optional) Add a Device Group.
      You can either add a new Device Group or use an existing one.
      1. Select PanoramaDevice Groups and click Add.
      2. Enter a unique Name and a Description to identify the device group and click OK.
      3. Add Security Policy Rules to the Device Group.
    11. (Optional) Configure the template and template stack for the active primary firewall. You can configure new templates and template stacks or use existing ones.
      Add a template.
      1. Select PanoramaTemplates.
      2. Click Add and enter a unique Name to identify the template and click OK.
      Create a template stack and add the template generated in the previous step.
      1. Select PanoramaTemplates and click Add Stack.
      2. Enter a descriptive Name for the template stack.
      3. (PAN-OS 11.2 and later releases) Check (enable) Automatically push content when software device registers to Panorama.
      4. In the Templates, add the template generated in the previous step and click OK.
      5. Select DeviceSetupInterfaces.
      6. From the Template drop-down, select the Template you created.
      7. Select the Management interface and choose IPv4 as the DHCP Client. For more information on how to configure connection settings, see Device > Setup > Interfaces.
      8. Select NetworkInterfacesTemplate and then from Template the drop-down select target Template.
      9. Configure the eth1/1 interface and set the interface type to Layer3 or HA. For more information on configuring interfaces, see Network > Interfaces.
      10. Select DeviceHigh Availability and configure the HA settings for the active template.
    12. (Optional) Configure the template and template stack for the passive firewall.
      Repeat step 11.
    13. Add the ZTP firewalls (HA Pair) to the device group and template stack.
      1. Select PanoramaManaged DevicesSummary.
      2. Select the ZTP firewalls and click Reassociate.
      3. Select the respective device group and template stacks. Select the active template stack for the active firewall and the passive template for the passive firewall.
      4. Check (enable) Auto Push on 1st Connect to automatically push the device group and template stack configurations when the ZTP firewall successfully connects to Panorama for the first time and click OK.
      5. Select Commit Commit to Panorama and commit your changes.
    14. Connect the eth1/1 interface and the management interface of the ZTP firewall to the management network.
    15. Power on the ZTP firewall. Wait for the ZTP firewall to finish powering on.
    16. Monitor the ZTP process.

    © 2025 Palo Alto Networks, Inc. All rights reserved.