: Bootstrap Package
Focus
Focus

Bootstrap Package

Table of Contents

Bootstrap Package

The bootstrap process is initiated only on first boot when the firewall is in a factory default state.

Bootstrap Package Structure

The bootstrap package must include the /config, /license, /software, and /content folders, even if they are empty. The /plugins folder is optional. For an example, see Prepare the Bootstrap Package.
  • /config folder—Contains the configuration files. The folder can hold two files: init-cfg.txt and the bootstrap.xml. For details, see Bootstrap Configuration Files.
    If you intend to pre-register VM-Series firewalls with Panorama with bootstrapping, you must generate a VM auth key on Panorama and include the generated key in the init-cfg.txt file. See Generate the VM Auth Key on Panorama.
  • /license folder—Contains the license keys or auth codes for the licenses and subscriptions that you intend to activate on the firewalls. If the firewall does not have Internet connectivity, you must either manually obtain the license keys from the Palo Alto Networks Support portal or use the Licensing API to obtain the keys and then save each key in this folder. For details, see Prepare the Licenses for Bootstrapping.
    You must include an auth code bundle instead of individual auth codes so that the firewall or orchestration service can simultaneously fetch all license keys associated with a firewall. If you use individual auth codes instead of a bundle, the firewall will retrieve only the license key for the first auth code included in the file.
  • /software folder—Contains the software images required to upgrade a newly provisioned VM-Series firewall to the desired PAN-OS version for your network. You must include all intermediate software versions between the current version and the final PAN-OS software version to which you want to upgrade the VM-Series firewall. Refer to VM-Series Firewall Hypervisor Support in the Compatibility Matrix.
  • /content folder—Contains the application and threat updates, WildFire updates, and the BrightCloud URL filtering database for the valid subscriptions on the VM-Series firewall. You must include the minimum content versions required for the desired PAN-OS version. If you do not have the minimum required content version associated with the PAN-OS version, the VM-Series firewall cannot complete the software upgrade.
  • /plugins folderOptional folder contains a single VM-Series plugin image.
  • /ace folderOptional folder contains an App-ID Cloud Engine (ACE) content package. The VM-Series installs the version of the Cloud App-ID Catalog included in the content package upon first boot. You must download the content package from the Customer Support Portal and add it to the ace folder. To download the content package, complete the following steps.
    1. Log in to the Customer Support Portal.
    2. Select UpdatesDynamic Updates.
    3. Select Bootstrap files for VM Flex with SaaS Subscription from the Content Type drop-down.
    4. Choose a content package and click Download.

Bootstrap Package Delivery

The file type used to deliver the bootstrap package to the VM-Series firewall varies based on your hypervisor. Use the table below to determine the file type your hypervisor or cloud vendor supports.
External Device for Bootstrapping (Bootstrap Package Format)
AWS
Azure
ESXi
Google
Hyper-V
KVM
CD-ROM (ISO image)
Yes
Yes
Yes
Block Storage Device
Yes
Yes
Yes
Storage Account
Yes
Storage Bucket
Yes
Yes
When you attach the storage device to the firewall, the firewall scans for a bootstrap package and, if one exists, the firewall uses the settings defined in the bootstrap package.
If you have included a Panorama server IP address in the file, the firewall connects with Panorama. If the firewall has Internet connectivity, it contacts the licensing server to update the UUID and obtain the license keys and subscriptions. The firewall is then added as an asset in the Palo Alto Networks Support portal. If the firewall does not have Internet connectivity, it either uses the license keys you included in the bootstrap package, or it connects to Panorama to retrieve the appropriate licenses and deploys them to the managed firewalls.