Focus

Panorama Administrator's Guide

Register Panorama with the ZTP Service for Existing Deployments

Table of Contents

Register Panorama with the ZTP Service for Existing Deployments

After you install the ZTP plugin on the Panorama™ management server, you must register Panorama with the ZTP service to enable the ZTP service to associate firewalls with the Panorama. As part of the registration process, add your ZTP firewalls to a device group and template that contain the required ZTP configuration to connect your ZTP firewalls with the ZTP service after they first connect to Panorama.

Install the Panorama Device Certificate.
Log in to the Palo Alto Networks Customer Support Portal (CSP).
Associate your Panorama with the ZTP Service on the Palo Alto Networks CSP.
The ZTP Service supports associating up to two Panoramas only if they are in a high availability (HA) configuration. If Panorama is not in an HA configuration, only a single Panorama can be associated.
1. Select AssetsZTP Service and Modify Association.
2. Select the serial number of the Panorama managing your ZTP firewalls.
3. (HA only) Select the serial number of the Panorama HA peer.
4. Click OK.
Log in to the Panorama Web Interface.
Select PanoramaZero Touch ProvisioningSetup and edit the General ZTP settings.
Register Panorama with the ZTP service.
1. Enable ZTP Service.
2. Enter the Panorama FQDN or IP Address.
  This is the FQDN or public IP address of the Panorama the ZTP plugin is installed on and that the CSP pushes to the ZTP firewalls.
  
  (All ZTP-enabled managed firewalls) Enter the Panorama IP address to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
  If you need to use the Panorama FQDN, configure a static destination route to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
3. (HA only) Enter the Peer FQDN or IP Address.
  This is the FQDN or public IP address of the Panorama peer on which the ZTP plugin is installed and that the CSP pushes to the ZTP firewalls in case of failover.
  
  (All ZTP-enabled managed firewalls) Enter the Panorama IP address to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
  If you need to use the Panorama FQDN, configure a static destination route to avoid the managed firewall disconnecting from Panorama on reboot or after a successful PAN-OS upgrade.
4. Click OK to save your configuration changes.
Add your ZTP firewalls to the device group and template that will contain the required ZTP configuration.
1. Select PanoramaDevice Groups and select the device group that will contain the required ZTP configuration.
2. Select the ZTP Devices.
3. Click OK to save your configuration changes.
4. Select PanoramaTemplates and select the template stack that contains the template that will have the required ZTP configuration.
5. Select the ZTP Devices.
6. Click OK to save your configuration changes.
Modify your device groups and templates as needed.
When considering your device group hierarchy and template priority in your template stack, ensure that the device group and template containing the required ZTP configuration that allows the ZTP firewall and Panorama to communicate have priority such that the configuration is not overridden in the event of conflicting configurations.
1. Configure the Ethernet1/1 interface.
  1. Select NetworkInterfacesEthernet, select a Template to contain your ZTP configuration and select ethernet1/1.
  2. For Interface Type, select Layer3.
  3. Select Config and configure a Virtual Router and set the Security Zone to Untrust.
  4. Select IPv4 and for the Type, select DHCP Client.
    
    A DHCP client is required for the ZTP firewalls to communicate with the ZTP service.
  5. Press OK to save your configuration changes.
2. Create the loopback interface
  1. Select NetworkInterfacesLoopback, select a Template to contain your ZTP configuration and Add a loopback interface.
  2. For the Interface Name, enter loopback and enter the 900 suffix.
  3. Select Config, select a Virtual Router, and set the Security Zone to Trust.
  4. Press OK to save your configuration changes.
3. Create the Security policy rule to allow the ZTP firewall and Panorama to communicate.
  1. Select PoliciesSecurityPre Rules, select the Device Group to contain your ZTP policy rules, and Add a new rule.
  2. Enter a descriptive Name for the policy rule.
  3. Select SourceSource Zone and Add the Trust zone.
  4. Select DestinationDestination Zone and Add the Untrust zone.
  5. Select ActionAction SettingsAction and select Allow.
4. Create the NAT policy rule to allow the ZTP firewall and Panorama to communicate.
  1. Select PoliciesNATPre Rules, select the Device Group to contain your ZTP policy rules, and Add a new rule.
  2. Enter a descriptive Name for the policy rule.
  3. Select Original Packet and configure the following:
    For the Source Zone, Add the Trust zone.
    For the Destination Zone, select the Untrust zone.
    For the Destination Interface, select the ethernet1/1 interface.
  4. Click OK to save your configuration changes.
Select Commit and Commit to Panorama
Sync to ZTP Service and verify that the Panorama Sync Status displays as In Sync.

Configure the ZTP Installer Administrator Account