Create a Custom VM-Series Firewall Image for Google Cloud Platform
Table of Contents
Expand all | Collapse all
-
- VM-Series Deployments
- VM-Series in High Availability
- Enable Jumbo Frames on the VM-Series Firewall
- Hypervisor Assigned MAC Addresses
- Custom PAN-OS Metrics Published for Monitoring
- Interface Used for Accessing External Services on the VM-Series Firewall
- PacketMMAP and DPDK Driver Support
- Enable ZRAM on the VM-Series Firewall
-
- VM-Series Firewall Licensing
- Create a Support Account
- Serial Number and CPU ID Format for the VM-Series Firewall
- Install a License API Key
- Use Panorama-Based Software Firewall License Management
-
- Maximum Limits Based on Memory
- Activate Credits
- Create a Deployment Profile
- Manage a Deployment Profile
- Register the VM-Series Firewall (Software NGFW Credits)
- Provision Panorama
- Migrate Panorama to a FW-Flex License
- Transfer Credits
- Renew Your Software NGFW Credit License
- Deactivate License (Software NGFW Credits)
- Create and Apply a Subscription-Only Auth Code
- Migrate to a Flexible VM-Series License
- What Happens When Licenses Expire?
-
- Supported Deployments on VMware vSphere Hypervisor (ESXi)
-
- Plan the Interfaces for the VM-Series for ESXi
- Provision the VM-Series Firewall on an ESXi Server
- Perform Initial Configuration on the VM-Series on ESXi
- Add Additional Disk Space to the VM-Series Firewall
- Use VMware Tools on the VM-Series Firewall on ESXi and vCloud Air
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Use the VM-Series CLI to Swap the Management Interface on ESXi
-
-
- VM-Series Firewall for NSX-V Deployment Checklist
- Install the VMware NSX Plugin
- Apply Security Policies to the VM-Series Firewall
- Steer Traffic from Guests that are not Running VMware Tools
- Dynamically Quarantine Infected Guests
- Migrate Operations-Centric Configuration to Security-Centric Configuration
- Add a New Host to Your NSX-V Deployment
- Use Case: Shared Compute Infrastructure and Shared Security Policies
- Use Case: Shared Security Policies on Dedicated Compute Infrastructure
- Dynamic Address Groups—Information Relay from NSX-V Manager to Panorama
-
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (North-South)
- Components of the VM-Series Firewall on NSX-T (North-South)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Deploy the VM-Series Firewall
- Direct Traffic to the VM-Series Firewall
- Apply Security Policy to the VM-Series Firewall on NSX-T
- Use vMotion to Move the VM-Series Firewall Between Hosts
- Extend Security Policy from NSX-V to NSX-T
-
- Components of the VM-Series Firewall on NSX-T (East-West)
- VM-Series Firewall on NSX-T (East-West) Integration
- Supported Deployments of the VM-Series Firewall on VMware NSX-T (East-West)
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Add a Service Chain
- Direct Traffic to the VM-Series Firewall
- Apply Security Policies to the VM-Series Firewall on NSX-T (East-West)
- Use vMotion to Move the VM-Series Firewall Between Hosts
-
- Install the Panorama Plugin for VMware NSX
- Enable Communication Between NSX-T Manager and Panorama
- Create Template Stacks and Device Groups on Panorama
- Configure the Service Definition on Panorama
- Launch the VM-Series Firewall on NSX-T (East-West)
- Create Dynamic Address Groups
- Create Dynamic Address Group Membership Criteria
- Generate Steering Policy
- Generate Steering Rules
- Delete a Service Definition from Panorama
- Migrate from VM-Series on NSX-T Operation to Security Centric Deployment
- Extend Security Policy from NSX-V to NSX-T
- Use In-Place Migration to Move Your VM-Series from NSX-V to NSX-T
- Use Migration Coordinator to Move Your VM-Series from NSX-V to NSX-T
-
-
- Deployments Supported on AWS
-
- Planning Worksheet for the VM-Series in the AWS VPC
- Launch the VM-Series Firewall on AWS
- Launch the VM-Series Firewall on AWS Outpost
- Create a Custom Amazon Machine Image (AMI)
- Encrypt EBS Volume for the VM-Series Firewall on AWS
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable CloudWatch Monitoring on the VM-Series Firewall
-
- Use Case: Secure the EC2 Instances in the AWS Cloud
- Use Case: Use Dynamic Address Groups to Secure New EC2 Instances within the VPC
-
-
- What Components Does the VM-Series Auto Scaling Template for AWS (v2.0) Leverage?
- How Does the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) Enable Dynamic Scaling?
- Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
- Customize the Firewall Template Before Launch (v2.0 and v2.1)
- Launch the VM-Series Auto Scaling Template for AWS (v2.0)
- SQS Messaging Between the Application Template and Firewall Template
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)
- Modify Administrative Account and Update Stack (v2.0)
-
- Launch the Firewall Template (v2.1)
- Launch the Application Template (v2.1)
- Create a Custom Amazon Machine Image (v2.1)
- VM-Series Auto Scaling Template Cleanup (v2.1)
- SQS Messaging Between the Application Template and Firewall Template (v2.1)
- Stack Update with VM-Series Auto Scaling Template for AWS (v2.1)
- Modify Administrative Account (v2.1)
- Change Scaling Parameters and CloudWatch Metrics (v2.1)
-
-
- Enable the Use of a SCSI Controller
- Verify PCI-ID for Ordering of Network Interfaces on the VM-Series Firewall
-
- Deployments Supported on Azure
- Deploy the VM-Series Firewall from the Azure Marketplace (Solution Template)
- Deploy the VM-Series Firewall from the Azure China Marketplace (Solution Template)
- Create a Custom VM-Series Image for Azure
- Deploy the VM-Series Firewall on Azure Stack
- Enable Azure Application Insights on the VM-Series Firewall
- Set up Active/Passive HA on Azure
- Use the ARM Template to Deploy the VM-Series Firewall
-
- About the VM-Series Firewall on Google Cloud Platform
- Supported Deployments on Google Cloud Platform
- Prepare to Set Up VM-Series Firewalls on Google Public Cloud
- Create a Custom VM-Series Firewall Image for Google Cloud Platform
-
- Deploy the VM-Series Firewall from Google Cloud Platform Marketplace
- Management Interface Swap for Google Cloud Platform Load Balancing
- Use the VM-Series Firewall CLI to Swap the Management Interface
- Enable Google Stackdriver Monitoring on the VM Series Firewall
- Enable VM Monitoring to Track VM Changes on Google Cloud Platform (GCP)
- Use Dynamic Address Groups to Secure Instances Within the VPC
- Use Custom Templates or the gcloud CLI to Deploy the VM-Series Firewall
-
- Prepare Your ACI Environment for Integration
-
-
- Create a Virtual Router and Security Zone
- Configure the Network Interfaces
- Configure a Static Default Route
- Create Address Objects for the EPGs
- Create Security Policy Rules
- Create a VLAN Pool and Domain
- Configure an Interface Policy for LLDP and LACP for East-West Traffic
- Establish the Connection Between the Firewall and ACI Fabric
- Create a VRF and Bridge Domain
- Create an L4-L7 Device
- Create a Policy-Based Redirect
- Create and Apply a Service Graph Template
-
- Create a VLAN Pool and External Routed Domain
- Configure an Interface Policy for LLDP and LACP for North-South Traffic
- Create an External Routed Network
- Configure Subnets to Advertise to the External Firewall
- Create an Outbound Contract
- Create an Inbound Web Contract
- Apply Outbound and Inbound Contracts to the EPGs
- Create a Virtual Router and Security Zone for North-South Traffic
- Configure the Network Interfaces
- Configure Route Redistribution and OSPF
- Configure NAT for External Connections
-
-
- Choose a Bootstrap Method
- VM-Series Firewall Bootstrap Workflow
- Bootstrap Package
- Bootstrap Configuration Files
- Generate the VM Auth Key on Panorama
- Create the bootstrap.xml File
- Prepare the Licenses for Bootstrapping
- Prepare the Bootstrap Package
- Bootstrap the VM-Series Firewall on AWS
- Bootstrap the VM-Series Firewall on Azure
- Bootstrap the VM-Series Firewall on Google Cloud Platform
- Verify Bootstrap Completion
- Bootstrap Errors
Create a Custom VM-Series Firewall Image for Google Cloud Platform
Learn how to create a custom VM-Series image starting
from a VM-Series image deployed from the Google Cloud Platform Marketplace.
Palo Alto Networks posts VM-Series firewall
base image versions or minor versions with critical fixes (such
as PAN-OS 11.0) on the Google Cloud Platform (GCP) Marketplace. These versions are available when
you deploy a VM-Series firewall from the GCP Marketplace. However,
you might need to deploy a PAN-OS version that is earlier or later
than the Marketplace version.
To deploy a VM-Series firewall version that is not available on the Marketplace, you can create a
custom VM-Series firewall image with a BYOL license.
The basic
steps to create a custom firewall from a firewall instance are as
follows:
- Deploy a new firewall from the GCP Marketplace.
- Activate your firewall license, download your desired PAN-OS software version to your firewall, use Dynamic Update to update your Applications and Threats content, and deactivate the firewall license.
- Perform a private data reset from the GCP console.
- Create a custom image from the upgraded firewall.
- Before you create your custom image, review your accounts, plan and create the networks for VM-Series firewall deployment, for the VM-Series firewall deployment, and plan your network interfaces.
- Deploy the VM-Series firewall from the GCP
Marketplace.You cannot create an image from an existing firewall. Starting from the GCP Marketplace ensures that your custom image can be licensed.
- (BYOL Only) Activate the license.
- Select DeviceLicenses and activate the licensel.The firewall reboots when licensing is complete.
- Log in to the firewall.
- Select DeviceLicenses and activate the licensel.
- Upgrade
to your preferred PAN-OS version and install software updates.
- Select DeviceSoftwareCheck Now and download your required PAN-OS version.If you do not see the version you want, download it from the Palo Alto Networks customer support website as follows.
-
Log in and select UpdatesSoftware Updates.From the Filter By list, choose PAN-OS for VM-Series.
-
Select a PAN-OS version and download it to your local machine.
- On your VM-Series firewall, Select DeviceSoftware and Upload your PAN-OS version from your local machine to your device.
-
- Install your chosen version.
- Upgrade the PAN-OS software version.
- Select DeviceDynamic Updates and upgrade your Applications and Threats and any other content you want to include in your base image.
- Select DeviceSoftwareCheck Now and download your required PAN-OS version.
- (BYOL Only) Deactivate the VM from the
firewall.If you do not deactivate the license, you lose the license that you applied on your firewall instance.
- Select DeviceLicenses and under License Management, select Deactivate VM.
- Select Complete Manually, and Export the license token.
- Return to the Palo Alto Networks customer support website, select AssetsVM-Series Auth-CodesDeactivate License(s) and upload the license token.
- Perform a private data reset.A private data reset removes all logs and restores the default configuration.The system disks are not erased, so the content updates from Step 4 are intact.
- Access the firewall CLI and keep it active.
- From the GCP console, delete SSH keys from your VM-Series
firewall.
- Select Compute EngineVM Instances and select your instance name.
- In the Details view, select EDIT.
- Under SSH Keys, click the Show and edit link and click X to remove any SSH keys.
- Save your changes.
- (Optional) Export a copy of the configuration.
- In the CLI, request a private data reset.
request system private-data-reset
Enter y to confirm.The firewall reboots to initialize the default configuration. - From the GCP console, select Compute EngineVM instances and STOP the firewall.
- Create a custom image in the GCP
console.These steps are based on Creating, deleting, and deprecating custom images.
- Select Compute EngineImagesCreate Image.
- Name your image and select the Google-managed key (see Google-managed encryption keys).
- Select Disk for the Source, and for the Source disk, select your stopped VM-Series firewall VM and click Create.
- (Optional) When the image is complete, click
the Equivalent REST link, and from the REST
response, copy the selfLink. This is the URI link for
any type of CI/CD pipeline that you
require. For example: projects/my-vpc-vpcID/global/images/pa-vm-8-1-9Using this link points directly to your image so you can use it in a template or a script. For example:
sourceImage: https://www.googleapis.com/compute/v1/projects/{{project}}/global/images/pa-vm-8-1-9}