>
    Strata Copilot
    Create Bootstrap Configuration Files
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. Bootstrap the VM-Series Firewall
    4. Create Bootstrap Configuration Files
    Download PDF
    VM-Series

    Create Bootstrap Configuration Files

    Table of Contents

    Create Bootstrap Configuration Files

    Create bootstrap configuration files to streamline firewall deployment.
    Where Can I Use This?What Do I Need?
    • VM-Series Firewall deployment
    • VM-Series 10.2.x or above
    • Panorama running PAN-OS 10.2.x or above
    Create bootstrap configuration files to streamline firewall deployment. VM-Series firewall deployments support both init-cfg.txt and bootstrap.xml file types for bootstrapping.

    Create a init-cfg.txt Bootstrap File

    Use the init-cfg.txt file to bootstrap the VM-Series firewall. It provides the basic information the firewall needs to connect to your network. The following table describes the bootstrap parameters in the init-cfg.txt file.
    Field
    Description
    type=
    This required field represents the type of management IP address: static or dhcp-client.
    IP address=
    IPv4 address. This field is ignored if the type is dhcp-client. If the type is static, an IPv4 address is required; the IPv6-address field is optional.
    You can't specify the management IP address and netmask configuration for the VM-Series firewall in AWS and Azure. If defined, the firewall ignores the values you specify.
    default-gateway=
    IPv4 default gateway for the management interface. This field is ignored if the type is dhcp-client. This field is required if the type is static, and is combined with the IP address.
    Netmask=
    IPv4 netmask. This field is ignored if the type is dhcp-client. If the type is static, and the IP address is used, this field is required.
    IPv6-address=
    IPv6 address and or prefix length of the management interface. This field is ignored if the type is dhcp-client. If the type is static, use this field along with the IP address field.
    IPv6-default-gateway=
    IPv6 default gateway for the management interface. This field is ignored if the type is dhcp-client. This field is required if the type is static and IPv6-address is used.
    hostname=
    Host name for the firewall.
    panorama-server=
    IPv4 or IPv6 address of the primary Panorama server. This field isn't required but recommended for centrally managing your firewalls.
    When creating a bootstrap package, set panorama-server=cloud. Use the cloud parameter when connecting the firewall to Strata Cloud Manager.
    panorama-server-2=
    IPv4 or IPv6 address of the secondary Panorama server. This field isn't required but recommended.
    A value defined for panorama-server-2 is ignored when panorama-server=cloud is used.
    tplname=
    Panorama template stack name. If you add a Panorama server IP address, assign the firewall to a template stack on Panorama and enter the template stack name in this field so that you can centrally manage and push configuration settings to the firewall.
    dgname=
    Panorama device group name. If you add a Panorama server IP address, as a best practice create a device group on Panorama and enter the device group name in this field so that you can group the firewalls logically and push policy rules to the firewall.
    cgname=
    Panorama collector group name. If you want to bootstrap the firewall to send logs to a Panorama Collector Group, you must first configure a Collector Group on Panorama and then configure the firewall to forward logs to Panorama.
    On the M-Series appliances, a default predefined Collector Group already contains the local log collector as a member. On the Panorama virtual appliance, you must add the Collector Group and add the local log collector as a member.
    dns-primary=
    IPv4 or IPv6 address of the primary DNS server.
    dns-secondary=
    IPv4 or IPv6 address of the secondary DNS server.
    vm-auth-key=
    Virtual machine authentication key for Panorama (see Generate the VM Auth Key on Panorama). This field is ignored when bootstrapping hardware firewalls.
    op-command-modes=
    The following values are allowed: multi-vsys, jumbo-frame, mgmt-interface-swap. If you enter multiple values, use a space or a comma to separate the entries.
    op-cmd-dpdk-pkt-io=
    		The value on or off allows you to enable or disable Data Plane Development Kit (DPDK) in environments where the firewall supports DPDK. DPDK allows the host to process packets faster by bypassing the Linux kernel; interactions with the NIC are performed using these drivers and the DPDK libraries.
    plugin-op-commands=
    Specify VM-Series plugin operation commands.
    Enter multiple commands on a single, comma-separated list with no spaces.
    • sriov-access-mode-on—This command is only valid for VM-Series firewall on ESXi and KVM hypervisors.
      For KVM only, if you enable sriov-access-mode-on, don't enable op-command-modes=jumbo-frame.
    • aws-gwlb-inspect:enable—Enables VM-Series Integration with an AWS Gateway Load Balancer.
    • aws-gwlb-associate-vpce:<vpce-id>@ethernet<subinterface> —Allows you to Associate a VPC Endpoint with a VM-Series Interface or subinterface on the firewall. The specified interface is assigned to a security zone.
    • aws-gwlb-overlay-routing:enable—Use this command to Enable Overlay Routing for the VM-Series on AWS when integrated with an AWS GWLB.
    • set-dp-cores:<#-cores>—Customize the number of dataplane vCPUs for a VM-Series firewall running PAN-OS 11.0 or later deployed with a Software NGFW license. This option isn't supported on NSX-T. For more information, see Customize Dataplane Cores.
    • numa-perf-optimize:enable—enables NUMA performance optimization on the VM-Series firewall with VM-Series plugin 2.1.2 or later installed. For more information, see Enable NUMA Performance Optimization on the VM-Series.
    • advance-routing:enable—enables Advanced Routing. To ensure successful bootstrapping for Advanced Routing using both init-cfg.txt* and bootstrap.xml files, enable Advanced Routing in both* init-cfg.txt* and bootstrap.xml. Failing to enable Advanced Routing in both files could result in an unstable environment; for example, if you use the command show advanced routing route the output indicates that Advanced Routing is enabled, however, the command show deviceconfig setting indicates that Advanced Routing isn't enabled. Further, Advanced Routing won't be completely working, and could end up in commit failure. If the setup is in the above state, to enable Advanced Routing, reboot the VM-Series firewall after configuring set deviceconfig setting advanced-routing yes.
    • setsess-ress:True—enables session resiliency on the VM-Series firewall for AWS and GCP.
    dhcp-send-hostname=
    The value of yes or no comes from the DHCP server. If yes, the firewall will send its hostname to the DHCP server. This field is relevant only if the type is dhcp-client.
    dhcp-send-client-id=
    The value of yes or no comes from the DHCP server. If yes, the firewall will send its client ID to the DHCP server. This field is relevant only if the type is dhcp-client.
    dhcp-accept-server-hostname=
    The value of yes or no comes from the DHCP server. If yes, the firewall will accept its hostname from the DHCP server. This field is relevant only if the type is dhcp-client.
    dhcp-accept-server-domain=
    The value of yes or no comes from the DHCP server. If yes, the firewall will accept its DNS server from the DHCP server. This field is relevant only if the type is dhcp-client.
    vm-series-auto-registration-pin-id
    and
    vm-series-auto-registration-pin-value
    The VM-Series registration PIN ID and value for installing the device certificate on the VM-Series firewall. The PIN ID and value also enable you to automatically activate the site licenses for AutoFocus and Cortex Data Lake on Pay as You Go (PAYG) instances of the firewall.
    Generate this in the registration PIN ID on the Palo Alto Networks CSP. See Install a Device Certificate on the VM-Series Firewall for information on generating PIN ID and value.
    redis-endpoint=
    Provide the IP address or FQDN and the port of your Redis endpoint, for use with session resiliency in the VM-Series for AWS and GCP.
    redis-auth=
    		Optional The auth code your VM-Series firewall uses to connect with the Redis endpoint, for use with session resiliency in the VM-Series for AWS and GCP.
    redis-certificate=
    		Optional The root CA certificate string used to connect to the Redis endpoint. The certificate must be a base64-encoded string using utf-8 encoding. For use with session resiliency in the VM-Series for GCP; not required for session resiliency on AWS.
    Complete the following procedure to create the init-cfg.txt file.
    1. Create a new text file.
      Use a text editor such as Notepad, EditPad, or other plain-text editors to create a text file.
    2. Add the basic network configuration for the management interface on the firewall.
      If any of the required parameters are missing in the file, the firewall exits the bootstrap process and boots up using the default IP address, 192.168.1.1. You can view the system log on the firewall to detect the reason for the bootstrap failure. For errors, see Licensing API.
      There are no spaces between the key and value in each field. Don't add spaces as they could cause failures during parsing on the mgmtsrvr side.
      • To configure the management interface with a static IP address, you must specify the IP address, type of address, default gateway, and netmask. An IPv4 address is required. An IPv6 address is optional. For syntax, see Sample init-cfg.txt file section below.
      • To configure the management interface as a DHCP client, you must specify only the type of address. If you enable the DHCP client on the management interface, the firewall ignores the IP address, default gateway, netmask, IPv6 address, and IPv6 default gateway values defined in the file. For syntax, see Sample init-cfg.txt file section below.
      When you enable DHCP on the management interface, the firewall takes the DHCP assigned IP address and is accessible over the network. You can view the DHCP assigned IP address on the General Information widget on the Dashboard or with the CLI command show system info. However, the default static management IP address 192.168.1.1 is retained in the running configuration (show config running) on the firewall. This static IP address ensures that you can always restore connectivity to your firewall, in the event you lose DHCP access to the firewall.
    3. Add the VM auth key to register a VM-Series firewall with Panorama.
      To add a VM-Series firewall on Panorama, you must add the VM auth key that you generated on Panorama to the basic configuration (init-cfg.txt) file. For details on generating a key, see Generate the VM Auth Key on Panorama section below.
    4. Add details for accessing Panorama.
      • Add IP addresses for the primary and secondary Panorama servers.
      • Specify the template and the device group to which you want to assign the firewall.
      • To specify Strata Cloud Manager for your Panorama host, use set panorama-server=cloud to initiate a TLS connection to the cloud management service edge.
    5. (Recommended) Add the VM-Series registration pin and value for installing the device certificate.
      If you want to install the device certificate on the VM-Series firewall at launch, you must generate the VM-Series registration pin ID and value on the CSP and include it in the init-cfg.txt file. This pin and value also apply to any site licenses that use the PAYG license.
    6. (Optional) Include additional parameters for the firewall.
      Sample init-cfg.txt file
      The following sample basic configuration files show all the parameters that are supported in the file; required parameters are in bold.
      Sample init-cfg.txt File (Static IP Address)
      Sample init-cfg.txt File (DHCP Client)
      type=static
      IP address=10.*.*.19
      default-gateway=10.*.*.1
      Netmask=255.255.255.0
      IPv6-address=2001:400:f00::1/64
      IPv6-default-gateway=2001:400:f00::2*
      hostname=Ca-FW-DC1
      vm-auth-key=7550362253****
      panorama-server=10.*.*.20
      panorama-server-2=10.*.*.21
      tplname=FINANCE_TG4
      dgname=finance_dg
      dns-primary=10.5.6.6
      dns-secondary=10.5.6.7
      op-command-modes=jumbo-frame,mgmt-interface-swap**
      op-cmd-dpdk-pkt-io=***
      plugin-op-commands=
      dhcp-send-hostname=no
      dhcp-send-client-id=no
      dhcp-accept-server-hostname=no
      dhcp-accept-server-domain=no
      vm-series-auto-registration-pin-id=abcdefgh1234****
      vm-series-auto-registration-pin-value=zyxwvut-0987****
      type=dhcp-client
      IP address=
      default-gateway=
      Netmask=
      IPv6-address=
      IPv6-default-gateway=
      hostname=Ca-FW-DC1
      vm-auth-key=7550362253****
      panorama-server=10.*.*.20
      panorama-server-2=10.*.*.21
      tplname=FINANCE_TG4
      dgname=finance_dg
      dns-primary=10.5.6.6
      dns-secondary=10.5.6.7
      op-command-modes=jumbo-frame,mgmt-interface-swap**
      op-cmd-dpdk-pkt-io=***
      plugin-op-commands=
      dhcp-send-hostname=yes
      dhcp-send-client-id=yes
      dhcp-accept-server-hostname=yes
      dhcp-accept-server-domain=yes
      vm-series-auto-registration-pin-id=abcdefgh1234****
      vm-series-auto-registration-pin-value=zyxwvut-0987****
      You can't specify the management IP address and netmask configuration for the VM-Series firewall on AWS. If defined, the firewall ignores the values you specify because AWS uses a backend metadata file to assign the management IP address and netmask.
      *The IPv6 default gateway is required if you include an IPv6 address.
      **The mgmt-interface-swap operational command pertains only to a VM-Series firewall on AWS or GCP.
      ***The op-cmd-dpdk-pkt-io=off is for disabling DPDK on the VM-Series firewall on ESXi, KVM, and GCP (DPDK is enabled by default).
      **** The vm-series-auto-registration-pin-id and vm-series-auto-registration-pin-value are required for two use cases:
      • Activation of site licenses—AutoFocus or Cortex Data Lake—with Pay-As-You-Go (PAYG) license options of the VM-Series firewall.
      • Retrieve and install the device certificate on the VM-Series firewall.
      Example init-cfg-txt file used for a bootstrap package when using Strata Cloud Manager
      When creating an init-cfg.txt file for the bootstrap package, ensure that it minimally includes parameters for:
      • type
      • panorama-server
      • vm-series-auto-registration-pin-id
      • vm-series-auto-registration-pin-value
      For example:
      type=static
ip-address=1.1.1.1
netmask=111.111.11.1
default-gateway=1.1.1.1
hostname=host_1
panorama-server=cloud
plugin-op-commands-advance-routing=enable
dgname=host_1_directory
dns-primary=1.1.1.1
vm-series-auto-registration-pin-id=VALUE
vm-series-auto-registration-pin-value=VALUE

    Create a bootstrap.xml File

    The following table describes the bootstrap parameters in the bootstrap.xml file. Use these instructions to export the configuration from a firewall running on the same platform or hypervisor as your target deployment.
    1. Export a configuration from a firewall.
      1. Select DeviceSetupOperations.
      2. Select the configuration file you want to export.
        • To export the running configuration, in the Configuration Management section, Export named configuration snapshot and select running config.xml from the drop-down.
        • To export a previous version of a firewall configuration, in the Configuration Management section, Export configuration version and select the appropriate configuration version in the drop-down.
    2. Rename the configuration file and save.
      1. Rename the file to bootstrap.xml.
        For the bootstrap process to be successful, the filename must be an exact (case-sensitive) match.
      2. Save the bootstrap.xml file in the same location as the init-cfg.txt file.

    Generate the VM Auth Key on Panorama for Bootstrapping

    If you want to use Panorama to manage the VM-Series firewalls that you're bootstrapping, you must generate a VM auth key on Panorama and include the key in the basic configuration (init-cfg.txt) file. The VM auth key allows Panorama to authenticate the newly bootstrapped VM-Series firewall. So, to manage the firewall using Panorama, you must include the IP address for Panorama and the VM auth key in the basic configuration file as well as the license auth codes in the /license folder of the bootstrap package. The firewall can then provide the IP address, serial number, and the VM auth key in its initial connection request to Panorama so that Panorama can verify the validity of the VM auth key and add the firewall as a managed device. If you provide a device group and template in the basic configuration file, Panorama will assign the firewall to the appropriate device group and template so that you can centrally configure and administer the firewall using Panorama.
    The lifetime of the key can vary between 1 hour and 8,760 hours (1 year). After the specified time, the key expires and Panorama won't register VM-Series firewalls without a valid auth-key in this connection request.
    1. Log in to the Panorama CLI or access the API:
      • In the CLI, use the following operational command:
        request bootstrap vm-auth-key generate lifetime <1-8760>
        For example to generate a key that’s valid for 24 hrs, enter the following:
        request bootstrap vm-auth-key generate lifetime 24 
VM auth key 755036225328715 generated. Expires at: 2015/12/29 12:03:52
      • In the API, use the following URL:
        https://<Panorama_IP_address>/api/?type=op&cmd=<request><bootstrap><vm-auth-key><generate><lifetime><number-of-hours></lifetime></generate></vm-auth-key></bootstrap></request>
        where the lifetime is the number of hours for which the VM auth key is valid.
    2. Verify the validity term of the VM auth keys you generated on Panorama. Make sure that the validity term allows enough time for one or more firewalls to register with Panorama.
      https://<Panorama_IP_address>/api/?type=op&cmd=<request><bootstrap><vm-auth-key><show></show></vm-auth-key></bootstrap></request>
    3. Add the generated VM auth key to the basic configuration (init-cfg.txt) file. See Create the init-cfg.txt File section.
    4. Verify the device registration authentication key you generated is successfully created.
      request bootstrap vm-auth-key show

    © 2026 Palo Alto Networks, Inc. All rights reserved.