Focus

VM-Series Deployment Guide

Choose a Bootstrap Method

Table of Contents

Choose a Bootstrap Method

Choose a basic configuration or a complete configuration bootstrap method.

You can bootstrap the VM-Series firewall with a basic configuration or a complete configuration.

A complete configuration uses the bootstrap package and includes everything you need to fully configure the firewall at boot up. This includes configuration parameters (in init-cfg.txt), content updates, and software versions. A complete configuration can include both init-cfg.txt and bootstrap.xml files.

Configuration Method	Configuration Location	Comment
Specify complete configuration information in /config/bootstrap.xml in the bootstrap package.	Public cloud storage AWS S3 bucket, Azure storage account, or Google storage bucket.	Full bootstrap package in the storage bucket. Requires cloud storage and an IAM role to access it.

A basic configuration is a minimal configuration that enables you to launch, license, and register the VM-Series firewall. The basic configuration does not support plugins, content, software images, or bootstrap.xml.

After you boot the firewall you can connect with Panorama to complete the configuration, or log in to the firewall to update content and software manually. The following table briefly contrasts three ways you can store and access a basic configuration:

Configuration Method	Configuration Location	Comment
init-cfg.txt Store basic configuration parameters as key-value pairs in config/init-cfg.txt in the bootstrap package.	Public cloud storage AWS S3 bucket Azure storage account GCP storage bucket	Requires cloud storage and an IAM role to access it. The Panorama admin must also be granted access to the bucket.
User data Enter configuration parameters into the public cloud user interface as key-value pairs.	VM Instance AWS: User data Azure: Custom data GCP: GCP metadata	The initial configuration parameters are stored with the VM. No need for separate storage and the associated IAM role.
AWS Secret Manager Enter configuration parameters into the AWS secret manager as key-value pairs.	Encrypted in AWS Secret Manager.	You need an IAM role to create a secret. Others can be granted permission to get the secret. To get the secret, pass the secret name using user data.

See the VM-Series firewall bootstrap workflow to compare the workflow for the basic and complete configurations.

Basic Configuration
Complete Configuration

Basic Configuration

A basic configuration includes the initial configuration and licenses. You can use the bootstrap package to pass the key-value pairs for the initial configuration, or you can enter the bootstrap parameters key-value pairs as user data.

If you do not use Panorama, you can use the initial configuration to bootstrap the firewall, then log in and complete the configuration manually. If you use Panorama, your initial configuration must include bootstrap parameters for the IP addresses for your Panorama servers and the VM Auth Key so the bootstrapped firewall can register with Panorama and complete the full configuration.

Add a Basic Configuration to the Bootstrap Package
Enter a Basic Configuration as User Data (AWS, Azure, or GCP)
Save a Basic Configuration in the AWS Secrets Manager

Add a Basic Configuration to the Bootstrap Package

The initial configuration is a minimal configuration that enables you to launch, license, and register the VM-Series firewall, and connect with Panorama, if applicable. You deliver the configuration (init-cfg.txt) in the bootstrap package.

Enter a Basic Configuration as User Data (AWS, Azure, or GCP)

When you include Panorama connectivity parameters in your init-cfg.txt, Panorama attempts to push configuration to the VM-Series firewall upon first connection. The connection to Panorama fails if hostname, template stack, or device group values are missing from the init-cfg.txt file.

When you deploy the VM-Series firewall from the AWS, Azure, or GCP user interface, you can enter the configuration parameters as user data during the launch/deployment process. If you have sufficient permissions to deploy a firewall from your cloud account, and access Panorama (if you are using it), you can skip creating a bootstrap package, creating configuration files, and other bootstrap tasks related to cloud storage (a storage bucket, IAM roles, or service accounts that grant external access to storage).

Configuration parameters include the values in init-cfg.txt File Components, and the following additional values only available as user data:

authcodes—The authcode use to register the VM-Series firewall. For example, authcodes=I7115398.
mgmt-interface-swap—Used to swap the management interface when the VM-Series firewall is behind a load balancer in an AWS or GCP deployment. For example, mgmt-interface-swap=enable.

You can enter configuration parameters as key-value pairs directly into the AWS or GCP user interface. You can also define the configuration from a text file or a cloud-native template, such as an AWS Cloud Formation template, Azure ARM template, a GCP YAML file, or a Terraform template.

Each cloud has a different term for user data, and uses different separators between bootstrap parameters.

AWS User Data—Use a semicolon or newline (\n). If a parameter has more than one option, separate options with a comma. For example:

If you choose to save your basic configuration in the AWS Secrets Manager, enter the secret name as a key-value pair in the user data field. For example:

  type=dhcp-client
  hostname=palo1
  panorama-server=<PANORAMA-1 IP>
  panorama-server-2=<PANORAMA-2 IP>
  tplname=STK-NGFW-01
  dgname=DG-NGFW-01
  dns-primary=169.254.169.253
  dns-secondary=8.8.8.8
  op-command-modes=mgmt-interface-swap
  dhcp-send-hostname=yes
  dhcp-send-client-id=yes
  dhcp-accept-server-hostname=yes
  dhcp-accept-server-domain=yes
  vm-auth-key= <YOUR AUTH KEY HERE>
  authcodes= <<YOUR AUTH CODE HERE>

Azure Custom Data—Use a semicolon. If a parameter has more than one option, separate options with a comma. For example:

type=dhcp-client; op-command-modes=jumbo-frame;
vm-series-auto-registration-pin-id=abcdefgh1234****;
vm-series-auto-registration-pin-value=zyxwvut-0987****

GCP Custom Metadata—In a file, such as a YAML file or Terraform template, use a newline (\n) for each parameter, and if a parameter has multiple options, use commas to separate them. For example:
```
type=dhcp-client
op-command-modes=mgmt-interface-swap,jumbo-frame
vm-series-auto-registration-pin-id=abcdefgh1234****
vm-series-auto-registration-pin-value=zyxwvut-0987****
```

Save a Basic Configuration in the AWS Secrets Manager

You can use the AWS Secrets Manager to store the basic configuration as a secret, and then use User Data to bootstrap a VM with the parameters stored in the secret. To perform this task you need permission to use the Secrets Manager.

The secret creator must have full Secrets Manager administrator permissions. A Secrets Manager administrator can permit others to use the secret, as described in Authentication and access control for AWS Secrets Manager.
For example, the following policy statement allows you to get the secret value:
```
{
  "Version": "2012-10-17",
    {
      "Effect": "Allow",
      "Action": "secretsmanager:GetSecretValue",
      "Resource": 
      "arn:aws:secretsmanager:us-east-1:688382******:secret:My_bts-******"
    }
}
```
Refer to Actions, Resources, and Context Keys You Can Use in an IAM Policy or Secret Policy for AWS Secrets Manager to see actions that require permission, such as list, get, and rotate secret.
(Optional) To encrypt the secret you can use the DefaultEncryptionKey from AWS Secrets Manager.

Log in to the AWS console and under Security, Identity and Compliance, select Secrets Manager and select Store a new secret.
Select other type of secrets.
1. Enter the key-value pairs to define the basic configuration.
  
  mgmt-interface-swap does not work as a key-value pair in an AWS secret. It must be entered as: op-command-modes=mgmt-interface-swap
2. Select the DefaultEncryptionKey, and click Next.

Supply the secret name and description.

Edit the resource permissions to securely access secrets across AWS accounts. For example:

{
    "Version": "2012-10-17",
    "Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "s3:ListBucket",
        "Resource": "arn:aws:s3:::sn-bootstrap"
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::sn-bootstrap/*"
    },
    {
        "Effect": "Allow",
        "Action": "secretsmanager:GetSecretValue",
        "Resource": "arn:aws:secretsmanager:us-east-1:688382******:
                           secret:My_bootstrap"
    }
  ]
}

(Optional) You can examine the secret from the command line (if you have permission). For example:

# aws secretsmanager get-secret-value --secret-id My_bootstrap
{
    "ARN": "arn:aws:secretsmanager:us-east-1:688382******:
                secret:My_bootstrap",
    "Name": "My_bootstrap",
    "VersionId": "01b6853d-e187-479f-***********",
    "SecretString": "{\"mgmt-interface-swap\":\"enable\",
        \"vm-auth-key\":\"AAA\",\"panorama-server\":\"10.*.*.1\",
        \"panorama-server-2\":\"10.*.*.2\",\"dgname\":\"dg-s0000h\",
        \"tplname\":\"tpl-santosh\",\"license-authcode\":\"AAAA\"}",
    "VersionStages": [ "AWSCURRENT" ],
    "CreatedDate": 1581018411.847
}

Complete Configuration

A complete configuration ensures the firewall is fully configured on boot up. The bootstrap.xml file includes the initial configuration, licenses, software, content, and a version of the VM-Series plugin. You can create bootstrap.xml manually or you can export an existing configuration, as described in Create the bootstrap.xml File.

Bootstrap the VM-Series Firewall

VM-Series Firewall Bootstrap Workflow