What happens to the default configuration on a ZTP Firewall after ZTP has been disabled?

What happens to the default configuration on a ZTP Firewall after ZTP has been disabled?

When a ZTP FW has ZTP disabled, interface settings for eth1/1 and eth1/2 on a Palo Alto Firewall instead of default "None" are then pre-configured as a virtual wire interface (Vwire) between the two ports.

The default zone for eth1/1 is untrust and the default zone for eth1/2 is trust.

Example:

admin@PA-5420> show interface all
total configured hardware interfaces: 8
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 64 ukn/ukn/down(autoneg) 4A:2F:B7:9E:8C:C1
ethernet1/2 65 ukn/ukn/down(autoneg) 4A:2F:B7:9E:8C:C1
ha1-a 5 ukn/ukn/down(autoneg) 4A:2F:B7:9E:8C:00
ha1-b 7 ukn/ukn/down(autoneg) 4A:2F:B7:9E:8C:00
vlan 1 [n/a]/[n/a]/up 4A:2F:B7:9E:8C:C1
loopback 3 [n/a]/[n/a]/up 4A:2F:B7:9E:8C:06
tunnel 4 [n/a]/[n/a]/up 4A:2F:B7:9E:8C:04
hsci 8 ukn/ukn/down(autoneg) 4A:2F:B7:9E:8C:08
aggregation groups: 0
 
total configured logical interfaces: 8
name id vsys zone forwarding tag address
------------------- ----- ---- ---------------- ------------------------ ------ ------------------
ethernet1/1 64 1 untrust vwire:ethernet1/2 0 N/A >>>
ethernet1/2 65 1 trust vwire:ethernet1/1 0 N/A >>>
ha1-a 5 1 ha 0 N/A
ha1-b 7 1 ha 0 N/A
vlan 1 1 N/A 0 N/A
loopback 3 1 N/A 0 N/A
tunnel 4 1 N/A 0 N/A
hsci 8 1 N/A 0 N/A

VR default: 

admin@PA-5420> show routing fib virtual-router default
total virtual-router shown : 0

No routes: 

admin@PA-5420> show routing summary
GLOBAL ROUTING RESOURCE USAGE:
==========
All Routes (total): 0 (limit 200000)
All IPv4 Routes (total): 0 (limit 100000)
All IPv6 Routes (total): 0 (limit 100000)
All Routes (active): 0
==========
Static Routes (total): 0
Connect Routes (total): 0
BGP Routes (total): 0
OSPF Routes (total): 0
RIP Routes (total): 0
SYSTEM RESOURCE USAGE:
==========
File descriptors (total): 24 (limit 8192)
Sockets: 7

Following are the pre-configured security rules: 

admin@PA-5420> show running security-policy
"rule1; index: 1" {
from trust;
source any;
source-region none;
to untrust;
destination any;
destination-region none;
user any;
source-device any;
destination-device any;
category any;
application/service 0:any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
}
 
"intrazone-default; index: 2" {
from any;
source any;
source-region none;
to any;
destination any;
destination-region none;
source-device any;
destination-device any;
category any;
application/service 0:any/any/any/any;
action allow;
icmp-unreachable: no
terminal yes;
type intrazone;
}
 
"interzone-default; index: 3" {
from any;
source any;
source-region none;
to any;
destination any;
destination-region none;
source-device any;
destination-device any;
category any;
application/service 0:any/any/any/any;
action deny;
icmp-unreachable: no
terminal yes;
type interzone;
}
 
dynamic url: no

In order to delete the pre-config on the Firewall post disabling ZTP following commands can be used : 

delete rulebase security rule1
delete network virtual-wire default-vwire
delete zone trust
delete zone untrust
delete network interface ethernet ethernet1/1
delete network interface ethernet ethernet1/2
delete network virtual-router default

Note: If a ZTP FW is online and ZTP is disabled, traffic can get black holed because of this.