I just ran into a partially working Palo Alto firewall — a PA-1410 shipped with PAN-OS 11.0.3-h10 and ZTP (Zero-Touch Provisioning) enabled — as I exited ZTP mode to configure the firewall in standalone mode. However, this config shortcut did not work as expected. :(
On the very first boot, I connected via the console port and exited ZTP mode:
|
1 2 3 4 |
Do you want to exit ZTP mode and configure your firewall in standard mode (yes/no)[no]?:yes Warning: You have selected to provision the firewall in standard mode. Do you want to continue (y/n)?:y [ OK ] |
After that, I configured the management interface and performed a commit. However, some of the initial ZTP configuration snippets were still there — mostly within the service routes configuration, which I honestly didn’t expect at first glance. 🤦♂️
It took me quite some time to troubleshoot this issue, since I could reach the management interface via ping/HTTPS/SSH (hence layer 3 was working fine!), but had no outgoing connectivity at all — neither DNS nor ping. For example, a ping on the mgmt port ended up with this:
|
1 2 |
admin@PA-1410> ping host heise.de ping: heise.de: System error |
Asking the Internet brought me to this LIVEcommunity question (which talks about a PA-1410 as well 🤔) and to this KB article.
In the end, I simply ran this CLI command again:set system ztp disable
The firewall immediately forced a reboot. After that reboot (and after changing the admin password again), the firewall was finally really in standalone mode.
Note that this KB article from PANW suggests the following settings in step 3, but I don’t know why:
set system setting template enable
set system setting template disable
set system setting shared-policy enable
set system setting shared-policy disable
In fact, the firewall already reboots after the set system ztp disable command. And both settings (template & shared-policy) are already enabled. Why should I disable them in the end, since I probably want to connect the firewall to a Panorama?
TL;DR: The initial PANW wizard doesn’t completely disable ZTP mode. You’ll need to run set system ztp disable manually — in any case!
Soli Deo Gloria!
Photo by Dustin Tramel on Unsplash.
Hi Johannes, the recommendation for disabling template and shared Policy ist due to a Bug in older panos releases, iirc 10.1.x. This Bug caused the firewall even after “set system ztp disable” and the necessary reboot to keep these ztp config snippets. Temporarily disabling template and shared Policy removes this ztp config snippets from the firewall. Of course, dont import the settings to your local config at this point!! You can enable template and shared Policy again directly and connect to Panorama or scm afterwards as normal.
Ah, great, thanks for that, Sascha!
Though I would still think that it must be a
disable
enable
rather than a
enable
disable
or?
Yes correct, seems to be wrong order in the KB. Templates and shared Policy are enabled by default. They must bei disabled first and than enabled to work around this specific bug.