Bootstrapping VM-Series Firewalls

Overview

Bootstrapping allows you to create a repeatable and streamlined process of deploying new VM-Series firewalls on your network. It enables you to create a package with the model configuration for your network and then use that package to deploy VM-Series firewalls anywhere.

Benefits

Automated Deployment: Reduces manual configuration efforts by automating the initial setup.
Consistency: Ensures uniform configurations across multiple deployments.
Scalability: Facilitates large-scale deployments with minimal manual intervention.
Integration: Seamlessly integrates with Panorama for centralized management.

Bootstrapping Workflow

Choose a bootstrap method: basic or complete configuration.
Generate a VM auth key on Panorama if integrating with Panorama.
Prepare the necessary configuration files: init-cfg.txt and optionally bootstrap.xml .
Organize the bootstrap package with the required directory structure.
Deploy the VM-Series firewall using the prepared bootstrap package.
Verify the bootstrap process completion.

Bootstrap Package Structure

The bootstrap package must include the following top-level directories:

/config : Contains configuration files like init-cfg.txt and bootstrap.xml .
/license : Holds license files or authorization codes.
/software : Includes PAN-OS software images.
/content : Contains content updates such as threat and application signatures.
/plugins (optional): Stores VM-Series plugin files.

Each folder can be left empty if not used, but the directory structure must be present.

Configuration Files

init-cfg.txt

This file provides the basic information the firewall needs to connect to your network. Key parameters include:

hostname : Sets the firewall's hostname.
ip-address : Assigns a static IP address to the management interface.
netmask : Specifies the subnet mask.
default-gateway : Defines the default gateway.
panorama-server : Lists Panorama server IP addresses.
vm-auth-key : Includes the VM auth key for Panorama integration.
dhcp-enable : Enables DHCP on the management interface if set to yes .

For a complete list of parameters and their descriptions, refer to the official documentation.

bootstrap.xml

This optional file contains the complete configuration for the firewall, including network settings, security policies, and objects. When used, it allows the firewall to be fully configured upon boot-up without requiring Panorama.

Deployment Methods

Bootstrapping can be performed on various platforms, including:

AWS: Utilize S3 buckets to store the bootstrap package and specify the path during instance launch.
Azure: Use Azure Files to host the bootstrap package and provide access details during deployment.
Google Cloud Platform (GCP): Store the bootstrap package in Cloud Storage and reference it during VM creation.
ESXi: Attach an ISO or virtual disk containing the bootstrap package during VM deployment.
Hyper-V: Similar to ESXi, use an ISO or virtual disk with the bootstrap package.
KVM: Mount a virtual disk with the bootstrap package during VM creation.

The specific steps may vary based on the platform; consult the respective deployment guides for detailed instructions.

Best Practices

Maintain Directory Structure: Ensure the bootstrap package includes the required top-level directories: /config , /license , /software , and /content . Even if some directories are empty, their presence is necessary for successful bootstrapping. The /plugins directory is optional.
Use Specific init-cfg.txt Filenames: For deployments involving multiple firewalls, consider naming the init-cfg.txt file with the firewall's serial number or UUID (e.g., 0008C100105-init-cfg.txt ). This allows each firewall to retrieve its specific configuration during bootstrapping.
Validate Configuration Files: Before deployment, verify the syntax and parameters within init-cfg.txt and bootstrap.xml to prevent bootstrapping errors.
Secure Access to Bootstrap Package: When hosting the bootstrap package in cloud storage (e.g., AWS S3, Azure Files), ensure proper access permissions are set. For instance, in AWS, configure IAM roles with policies granting s3:ListBucket and s3:GetObject permissions to allow the firewall to access the necessary files.
Monitor Bootstrapping Process: After deployment, monitor the firewall's system logs to confirm successful bootstrapping. Use commands like show system bootstrap status to check the status and troubleshoot if necessary.