>
    Strata Copilot
    Generate Terraform Configuration from Strata Cloud Manager (SCM)
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Prisma AIRS as a Firewall - Hyperscale Security Fabric
    5. Deploy and Manage Prisma AIRS HSF Clusters on KVM
    6. Generate Terraform Configuration from Strata Cloud Manager (SCM)
    Download PDF
    Prisma AIRS

    Generate Terraform Configuration from Strata Cloud Manager (SCM)

    Table of Contents

    Generate Terraform Configuration from Strata Cloud Manager (SCM)

    Steps to generate a terraform template from the Strata Cloud Manager
    Where Can I Use This?What Do I Need?
    • Prisma® AI Runtime Security™
    • PAN-OS® 12.1.5 & later
    • A controller or a VM to apply terraforms with SSH key authentication for KVM host root access
    The following are the steps to generate a terraform template from the Strata Cloud Manager.
    1. Log in to SCM and navigate to Insights > Deployment.
    2. Select KVM under the Private Cloud section and choose Deploy a New Firewall and select Start from scratch.
    3. Fill out the HSF Cluster Configuration details including:
      • Cluster Name
      • Template Stack Name
      • Device Group Name
      • Panorama IP
      • Secondary Panorama IP
      • VM Auth Key
      • Auth Code
      • Image Path
        The Absolute image path should be the same as the path provisioned on the host for local deployment and path provisioned on the remote controller for remote deployment.
        • DNS Primary (Optional)
        • DNS Secondary (Optional)
      • (Optional) Select Jumbo Frame if you wish to enable Jumboframe on your cluster.
      • Click Add More Bootstrap Parameters and add the Key Value pair, if you wish to add optional bootstrap parameters.
    4. Configure Common Networking settings for Management Link, Control Interconnect Link and Traffic Interconnect Link.
    5. Select DHCP or Static as the Management Interface IP.
    6. Select Local Server or Remote Server under Server Deployment information including remote KVM host IP, User Name and Private SSH Key Path.
    7. Define Node Specifications for P-Nodes and S-Nodes.
      Add the individual Node Specifications details such as:
      • Choose a Server
      • Management Interface IP - DHCP or Static
      • Management IP Address
      • Gateway IP
      • Subnet Mask
      • Network Devices
        • Management
        • Cluster Interconnect
        • Traffic Interconnect Interface
      You may add up to 4 P-Nodes and 6 S-Nodes. However, a minimum of 2 P-Nodes are necessary to maintain resiliency.
    8. Review the deployment summary and give a name to the template.
    9. Click Create Terraform Template and then Download Terraform template.

    Execute Terraform Deployment

    For Terraform prerequisites, see KVM Host Permissions for Local or Remote Deployments.
    1. Extract the downloaded Terraform ZIP file to your central controller or KVM host.
    2. Navigate to the extracted directory containing the node-specific Terraform folders.
    3. Perform one of the following deployment methods:
      • Local Deployment: - Inside each node's folder, execute the following commands:
        terraform init
        terraform plan
        terraform apply
        Ensure that you are logged in as the sudo user before issuing terraform command.
      • Remote Deployment (Recommended):
        1. Ensure SSH keys are correctly set up and added to the SSH agent.
        2. Use the provided deploy-cluster.sh script (for example, ./deploy-cluster.sh setup) to automate terraform init, plan, and apply across all node directories.
        3. Monitor the terminal output for Terraform provisioning status.

    Verify Cluster Deployment and Initial Configuration

    1. Access the Panorama UI and navigate to Managed Devices and Firewall Clusters to confirm nodes are registered and the cluster is forming.
    2. Monitor content and configuration pushes from Panorama through the node's CLI (show jobs all) and Panorama's task manager.
    3. Confirm the cluster is online and functional after auto-commit and content installation jobs complete.

    © 2026 Palo Alto Networks, Inc. All rights reserved.