Zero Touch Provisioning (ZTP) for Palo Alto Networks Firewalls

Overview

Zero Touch Provisioning (ZTP) is a provisioning mechanism that allows unconfigured devices to automatically load deployment files upon power-on, including system software, patches, and configuration files. This eliminates the need for onsite, manual configuration and deployment, reducing labor costs and improving deployment efficiency.

Benefits of ZTP

Automated Deployment: Devices can be shipped directly to their deployment locations and automatically configured upon connection to the network.
Reduced Manual Intervention: Minimizes the need for technical staff to be present at each deployment site.
Consistency: Ensures uniform configuration across all devices, reducing the risk of human error.
Scalability: Facilitates the rapid deployment of devices across multiple locations.

How ZTP Works

Upon power-on, the device obtains an IP address via DHCP.
The device contacts the Palo Alto Networks ZTP service using preconfigured settings.
The ZTP service authenticates the device using its serial number and claim key.
Once authenticated, the device downloads the necessary configuration files and software updates.
The device applies the configurations and connects to the Panorama management server for centralized management.

Implementing ZTP with Panorama

To set up ZTP with Panorama:

Ensure a DHCP server is available on the network to provide IP addresses to new devices.
Register the device's serial number and claim key in the Palo Alto Networks Customer Support Portal.
In Panorama, add the device using its serial number and claim key.
Assign the device to the appropriate device group and template stack.
Power on the device and connect it to the network; it will automatically retrieve its configuration and connect to Panorama.

Note: Devices onboarded using ZTP cannot be configured in a High Availability (HA) setup until ZTP is disabled on the device.

Best Practices