: Use the CLI for ZTP Tasks
Focus
Focus

Use the CLI for ZTP Tasks

Table of Contents

Use the CLI for ZTP Tasks

Use the CLI to manage your Zero Touch Provisioning (ZTP) managed firewalls and view the ZTP service status.
Use the following CLI commands to perform Zero Touch Provisioning (ZTP) tasks and view the ZTP service status.
If you want to ...
Use ...
Administer the firewall from the firewall CLI
Display the connection status to the ZTP service.
> show system ZTP status
Display the connection status to the Panorama management server.
> show panorama status
Display the ZTP model number and firewall system information.
> show system info
Enable the ZTP state machine on the firewall.
PA-5400, PA-400, PA-410, PA-1400, and PA-3400 only.
> set system ztp enable
Re-enabling the ZTP state machine initiates a soft factory reset that results in the deletion of the existing firewall configuration.
Disable the ZTP state machine on the firewall.
Disabling the ZTP state machine initiates a soft factory reset that results in the deletion of the existing firewall configuration.
> request disable-ztp
PA-220-ZTP, PA-220R-ZTP, PA-800-ZTP, PA-850-ZTP, PA-3220-ZTP, PA-3250-ZTP, and PA-3260-ZTP only
You cannot re-enable the ZTP state machine on the firewall after it is disabled from the CLI.
> set system ztp disable
PA-5400, PA-400, PA-410, PA-1400, and PA-3400 only.
Register, configure, and manage your ZTP firewalls from Panorama
Create a device group or template containing the necessary configurations to connect managed firewalls with Panorama using the ZTP service on the Eth1/1 interface.
> request plugins ztp create dgroup-template device-group <device group name>
> request plugins ztp create dgroup-template template <template name>
Add a ZTP firewall to the list of firewalls for future registration with the ZTP service.
> request plugins ztp firewall-add <serial number> claim-key <claim key> 
Modify the serial number of a ZTP firewall that has already been added to the list of firewalls for future registration with the ZTP service.
> request plugins ztp firewall-add-modify firewall <old serial number> claim-key <claim key> new-serial <new serial number>
Delete a ZTP firewall from the list of firewalls for future registration with the ZTP service.
> request plugins ztp firewall-delete firewall <serial number> 
Add a ZTP firewall to the list of firewalls for future re-registration with the ZTP service.
Use this command when a ZTP firewall initially fails registration with the ZTP service and needs.
> request plugins ztp firewall-re-enter-info firewall <serial number> claim-key <claim key>
Register your Panorama™ management server with the ZTP service.
> request plugins ztp panorama-registration
Register a ZTP firewall with the ZTP service.
> request plugins ztp firewall-registration firewall <serial number> claim-key <claim key>
Re-register ZTP firewalls with the ZTP service.
Use this command to start the re-registration process for a ZTP firewall that failed initial registration with the ZTP service.
> request plugins ztp firewall-register-retry firewall <serial number> claim-key <claim key>
Import ZTP firewall serial number and claim key information.
The specified file must be in CSV format.
> request plugins ztp ztp-add-import import-path <file path>
View ZTP firewall information and ZTP service status from Panorama
Retrieve the list of ZTP firewalls registered to the Panorama from the ZTP service.
> request plugins ztp ztp-service-info
The following details are displayed:
  • first-firewall-connect-time—Timestamp of when the ZTP firewall first connected to the ZTP service.
  • last-firewall-connect-time—Timestamp of when the ZTP firewall last connected to the ZTP service.
  • registration-time—Timestamp of when the ZTP firewall registered with the ZTP service.
  • isZTPFirewall—Whether the firewall is a ZTP firewall.
  • created_by—Administrative user that added the ZTP firewall.
  • IP address—IP address of the ZTP firewall.
View the list of ZTP firewalls in the list of firewalls to be registered with the ZTP service.
> show plugins ztp device-add-list
View the registration status of your ZTP firewalls.
> show plugins ztp device-reg-status
View the ZTP service synchronization status for ZTP firewalls.
> request plugins ztp ztp-sync-status
Show the full management plane ZTP connectivity history.
This is helpful for troubleshooting connectivity to the ZTP service.
> tail follow yes mp-log ms.log