Deployment Workflow for VM-Series and Prisma AIRS

Table of Contents

Create and Associate a Deployment Profile for Prisma AIRS AI Runtime Firewall

Onboard and Activate a Cloud Account in Strata Cloud Manager

Deployment Workflow for VM-Series and Prisma AIRS

Streamline firewall deployments with the same image for VM-Series and Prisma AIRS™. This image offers flexible, license-driven operational modes and simplified profile management.

Where Can I Use This?	What Do I Need?
Prisma AIRS VM-Series	PAN-OS version 11.2.11, 12.1.5 or later VM-Series or Prisma AIRS authcode

The single image for Palo Alto Networks® software firewalls simplifies deployments and upgrades with a single image allowing a single image to operate dynamically as either a VM-Series firewall or a Prisma AI Runtime Security (AIRS) firewall. The associated license determines the operational mode at runtime, streamlining deployment and management by eliminating the need for separate images.

Prisma AIRS deployment profiles are no longer bundled and are now available as Ala Carte options.

The Prisma AIRS firewall image file available on the CSP is now changed from PanOSAINgfw_vm-X.X.X.aingfw to PanOS_vm-X.X.X.

Prerequisites for Prisma AIRS Devices

Minimum vCPU Requirements - Ensure your firewall has a minimum of 4 vCPUs. The deployment profile will default to 4 vCPU for Prisma AIRS if your planned vCPU is below this minimum.
Supported Processor Architectures - Prisma AIRS is now supported on both x86 and ARM starting with version 12.1.5 and 11.2.11

Configure Universal Image Deployment Profiles

This section provides a step-by-step walkthrough for configuring new deployment profiles and migrating the existing ones.

You can continue to use your existing deployment profile with this image as well.

Create Deployment Profile.
1. Log in to the Palo Alto Networks Customer Support Portal.
2. Navigate to Products > Software/Cloud NGFW Credits.
3. Click Create New Deployment Profile
Select a Deployment Profile Type.
1. On the Select Deployment Profile Type screen, choose one of the following primary deployment types and click Next:
  Prisma AIRS: There are two methods to create a Prisma AIRS deployment profile
  Recommended workflow:
  Select Virtual Firewall and click Next:
  Select the licensing type: Fixed vCPU models or Flexible vCPUs (recommended) and click Next.
  Click the firewall type: Prisma AIRS
  Alternative workflow: Select AI Runtime Security (Firewalls) under Prisma AIRS and click Next.
  
  Legacy AI-related deployment profile - AI Runtime Security (Instance) is now deprecated.
  
  VM-Series: To create a VM-Series deployment profile, the recommended workflow is:
  Select Virtual Firewall and click Next.
  Select the licensing type: Fixed vCPU models or Flexible vCPUs (recommended) and click Next.
  Click firewall type: VM-Series.
(Recommended) Configure a Virtual Firewall Deployment Profile (Prisma AIRS or VM-Series).
1. Virtual Firewall deployment profiles allow you to choose the desired firewall type:
  Prisma AIRS (Recommended - Next-Gen VM-Series with many more new capabilities). This option includes all functionalities of VM-Series, plus Container Network Security, Micro-Perimeter, AI Security, and Hyperscale Security Fabric.
  VM-Series - This option allows you to configure a standard VM-Series firewall.
2. If you selected Prisma AIRS: AI Runtime Security (Firewalls) in the previous step, the system navigates directly to the Virtual Firewall DP configuration screen with Prisma AIRS pre-selected and is not editable.
3. Configure the deployment profile details by referring to Create and Associate a Deployment Profile for Prisma AIRS AI Runtime Firewall (continue from step 6 onwards).
4. For VM-Series, configure the deployment profile details, by referring to the VM-Series deployment profile (continue from the steps 1.b onwards).
  
  You cannot create new deployment profiles for deprecated types such as AI Runtime Security (Instance). Instead use AI Runtime Security (Firewalls).

Panorama Deployment

Panorama Upgrade or Downgrade:

For Panorama-managed upgrades to the 11.2.11+ or 12.1.5+ Image, navigate to Panorama Device Deployment > Software.
Download the image with platform type vm,AI Runtime Security.
Upgrade or Downgrade Prisma AIRS to version 11.2.11+:
To upgrade or downgrade Prisma AIRS to version 11.2.11, you must first download the 11.2.0 base image.
While downloading the 11.2.0 base image for Prisma AIRS device, you will encounter the following error, which is a known issue.
Image not for AI-Runtime-Security model.
Failed to load into software manager. Please retry.
Post processing failed. Please retry.
The 11.2.0 image will download successfully to the device despite the error message.
Close the error and proceed to deploy the required 11.2.11 image.