: Create a Custom VM-Series Firewall Image for Google Cloud Platform
Focus
Focus

Create a Custom VM-Series Firewall Image for Google Cloud Platform

Table of Contents

Create a Custom VM-Series Firewall Image for Google Cloud Platform

Learn how to create a custom VM-Series image starting from a VM-Series image deployed from the Google Cloud Platform Marketplace.
Palo Alto Networks posts VM-Series firewall base image versions or minor versions with critical fixes (such as PAN-OS 11.0) on the Google Cloud Platform (GCP) Marketplace. These versions are available when you deploy a VM-Series firewall from the GCP Marketplace. However, you might need to deploy a PAN-OS version that is earlier or later than the Marketplace version.
To deploy a VM-Series firewall version that is not available on the Marketplace, you can create a custom VM-Series firewall image with a BYOL license.
The basic steps to create a custom firewall from a firewall instance are as follows:
  • Deploy a new firewall from the GCP Marketplace.
  • Activate your firewall license, download your desired PAN-OS software version to your firewall, use Dynamic Update to update your Applications and Threats content, and deactivate the firewall license.
  • Perform a private data reset from the GCP console.
  • Create a custom image from the upgraded firewall.
  1. Before you create your custom image, review your accounts, plan and create the networks for VM-Series firewall deployment, for the VM-Series firewall deployment, and plan your network interfaces.
  2. Deploy the VM-Series firewall from the GCP Marketplace.
    You cannot create an image from an existing firewall. Starting from the GCP Marketplace ensures that your custom image can be licensed.
  3. (BYOL Only) Activate the license.
    1. Select DeviceLicenses and activate the licensel.
      The firewall reboots when licensing is complete.
    2. Log in to the firewall.
  4. Upgrade to your preferred PAN-OS version and install software updates.
    1. Select DeviceSoftwareCheck Now and download your required PAN-OS version.
      If you do not see the version you want, download it from the Palo Alto Networks customer support website as follows.
      1. Log in and select UpdatesSoftware Updates.
        From the Filter By list, choose PAN-OS for VM-Series.
      2. Select a PAN-OS version and download it to your local machine.
      3. On your VM-Series firewall, Select DeviceSoftware and Upload your PAN-OS version from your local machine to your device.
    2. Install your chosen version.
    3. Upgrade the PAN-OS software version.
    4. Select DeviceDynamic Updates and upgrade your Applications and Threats and any other content you want to include in your base image.
  5. (BYOL Only) Deactivate the VM from the firewall.
    If you do not deactivate the license, you lose the license that you applied on your firewall instance.
    1. Select DeviceLicenses and under License Management, select Deactivate VM.
    2. Select Complete Manually, and Export the license token.
    3. Return to the Palo Alto Networks customer support website, select AssetsVM-Series Auth-CodesDeactivate License(s) and upload the license token.
  6. Perform a private data reset.
    A private data reset removes all logs and restores the default configuration.
    The system disks are not erased, so the content updates from Step 4 are intact.
    1. Access the firewall CLI and keep it active.
    2. From the GCP console, delete SSH keys from your VM-Series firewall.
      1. Select Compute EngineVM Instances and select your instance name.
      2. In the Details view, select EDIT.
      3. Under SSH Keys, click the Show and edit link and click X to remove any SSH keys.
      4. Save your changes.
    3. (Optional) Export a copy of the configuration.
    4. In the CLI, request a private data reset.
      request system private-data-reset
      Enter y to confirm.
      The firewall reboots to initialize the default configuration.
    5. From the GCP console, select Compute EngineVM instances and STOP the firewall.
  7. Create a custom image in the GCP console.
    1. Select Compute EngineImagesCreate Image.
    2. Name your image and select the Google-managed key (see Google-managed encryption keys).
    3. Select Disk for the Source, and for the Source disk, select your stopped VM-Series firewall VM and click Create.
    4. (Optional) When the image is complete, click the Equivalent REST link, and from the REST response, copy the selfLink. This is the URI link for any type of CI/CD pipeline that you require.
      For example: projects/my-vpc-vpcID/global/images/pa-vm-8-1-9
      Using this link points directly to your image so you can use it in a template or a script. For example:
      sourceImage: https://www.googleapis.com/compute/v1/projects/{{project}}/global/images/pa-vm-8-1-9}