How to disable ZTP on a ZTP firewall

Article ID: 185523

Created On 03/05/21 19:19 PM - Last Modified 06/14/23 22:13 PM

Tags: ZTP | 9.1 | PAN-OS

Objective

To properly disable ZTP on a ZTP enabled firewall.

Environment

Palo Alto Firewall
PAN-OS 9.1 and above
ZTP (Zero Touch Provisioning).

Procedure

Access ztp firewall via console then run the disable command based on your Device Model:
- For PA-220-ZTP, PA-220R-ZTP, PA-800-ZTP, PA-850-ZTP, PA-3220-ZTP, PA-3250-ZTP, and PA-3260-ZTP only :
```
> request disable-ztp
```
- For PA-5400, PA-400, PA-410, PA-1400, and PA-3400 only :
```
> set system ztp disable
```

Configure the management interface and default gateway:

> configure
# set deviceconfig system ip-address  netmask  default-gateway  dns-setting servers primary 
# commit

Issue the following commands:

> set system setting template enable
> set system setting template disable
> set system setting shared-policy enable
> set system setting shared-policy disable

Access your FW User Interface and configure a network interface, a dataplane default-gateway, and a zone tied up to that interface.
From CLI perform a commit force:
```
# commit force
```

What happens to the default configuration on a ZTP Firewall after ZTP has been disabled?

Article ID: 2148

Created On 02/13/25 20:50 PM - Last Modified 02/20/25 20:20 PM

Tags: Interfaces | Zones | ZTP | PAN-OS

Question

What happens to the default configuration on a ZTP Firewall after ZTP has been disabled?

Environment

ZTP Firewall which has ZTP disabled using either request disable-ztp or set system ztp disable depending on the Firewall model.

Answer

When a ZTP FW has ZTP disabled, interface settings for eth1/1 and eth1/2 on a Palo Alto Firewall instead of default "None" are then pre-configured as a virtual wire interface (Vwire) between the two ports.

The default zone for eth1/1 is untrust and the default zone for eth1/2 is trust.

Example:

admin@PA-5420> show interface all
total configured hardware interfaces: 8
name         id   speed/duplex/state    mac address
--------------------------------------------------------------------------------
ethernet1/1  64   ukn/ukn/down(autoneg) 4A:2F:B7:9E:8C:C1
ethernet1/2  65   ukn/ukn/down(autoneg) 4A:2F:B7:9E:8C:C1
ha1-a        5    ukn/ukn/down(autoneg) 4A:2F:B7:9E:8C:00
ha1-b        7    ukn/ukn/down(autoneg) 4A:2F:B7:9E:8C:00
vlan         1    [n/a]/[n/a]/up        4A:2F:B7:9E:8C:C1
loopback     3    [n/a]/[n/a]/up        4A:2F:B7:9E:8C:06
tunnel       4    [n/a]/[n/a]/up        4A:2F:B7:9E:8C:04
hsci         8    ukn/ukn/down(autoneg) 4A:2F:B7:9E:8C:08
aggregation groups: 0

total configured logical interfaces: 8
name           id   vsys zone             forwarding       tag address
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1    64   1    untrust          vwire:ethernet1/2 0      N/A           >>>
ethernet1/2    65   1    trust            vwire:ethernet1/1 0      N/A           >>>
ha1-a          5    1    ha                                0      N/A
ha1-b          7    1    ha                                0      N/A
vlan           1    1    N/A                               0      N/A
loopback       3    1    N/A                               0      N/A
tunnel         4    1    N/A                               0      N/A
hsci           8    1    N/A                               0      N/A

VR default:

admin@PA-5420> show routing fib virtual-router default
total virtual-router shown : 0

No routes:

admin@PA-5420> show routing summary
GLOBAL ROUTING RESOURCE USAGE:
==========
All Routes (total):          0 (limit 200000)
All IPv4 Routes (total):     0 (limit 100000)
All IPv6 Routes (total):     0 (limit 100000)
All Routes (active):         0
==========
Static Routes (total):       0
Connect Routes (total):      0
BGP Routes (total):          0
OSPF Routes (total):         0
RIP Routes (total):          0

SYSTEM RESOURCE USAGE:
==========
File descriptors (total):   24 (limit 8192)
Sockets:                     7

Following are the pre-configured security rules:

admin@PA-5420> show running security-policy

"rule1; index: 1" {
  from trust;
  source any;
  source-region none;
  to untrust;
  destination any;
  destination-region none;
  user any;
  source-device any;
  destination-device any;
  category any;
  application/service 0:any/any/any/any;
  action allow;
  icmp-unreachable: no
  terminal yes;
}

"intrazone-default; index: 2" {
  from any;
  source any;
  source-region none;
  to any;
  destination any;
  destination-region none;
  source-device any;
  destination-device any;
  category any;
  application/service 0:any/any/any/any;
  action allow;
  icmp-unreachable: no
  terminal yes;
  type intrazone;
}

"interzone-default; index: 3" {
  from any;
  source any;
  source-region none;
  to any;
  destination any;
  destination-region none;
  source-device any;
  destination-device any;
  category any;
  application/service 0:any/any/any/any;
  action deny;
  icmp-unreachable: no
  terminal yes;
  type interzone;
}

dynamic url: no

In order to delete the pre-config on the Firewall post disabling ZTP following commands can be used:

delete rulebase security rule1
delete network virtual-wire default-vwire
delete zone trust
delete zone untrust
delete network interface ethernet ethernet1/1
delete network interface ethernet ethernet1/2
delete network virtual-router default

Note: If a ZTP FW is online and ZTP is disabled, traffic can get black holed because of this.

Additional Information

Handy commands for ZTP firewalls:

> show system info | match zero-touch-provisioning
> show routing fib virtual-router default
> show virtual-wire all
> show running security-policy
> show interface all
> show routing summary