>
    Strata Copilot
    Manually Deploy and Bootstrap Prisma AIRS AI Runtime Firewall
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Manually Deploy and Bootstrap Prisma AIRS AI Runtime Firewall
    Download PDF
    Prisma AIRS

    Manually Deploy and Bootstrap Prisma AIRS AI Runtime Firewall

    Table of Contents

    Manually Deploy and Bootstrap Prisma AIRS AI Runtime Firewall

    Manually Deploy and bootstrap Prisma AIRS AI Runtime Firewall for public and private clouds.
    Where Can I Use This?What Do I Need?
    • Manual Bootstrapping for Prisma AIRS AI Runtime Firewall
    This page covers the configurations to manually deploy and bootstrap Prisma AIRS AI Runtime Firewall in public and private clouds.
    Download the firewall image from your cloud marketplace, configure bootstrap parameters, and deploy the firewall with the Terraform module. After deployment, you can manage the firewall using either Strata Cloud Manager or Panorama to push security policy rules and configurations to the firewall.
    1. Log in to your cloud Marketplace, such as AWS, Azure, and GCP.
    2. Search for AI Runtime Security.
    3. Select Launch or Get it Now as per your marketplace terminology and follow the configurations.
    4. Choose a Bootstrap Method:
      • init-cfg.txt(applicable for public and private clouds).
      • User data (applicable only for public cloud).
      • AWS secret manager (applicable only for AWS cloud).
    5. Download the Terraform module for your cloud architecture.

    Bootstrapping Parameters for init-cfg.txt File

    The sample init-cfg.txt file contains the parameters to bootstrap the Prisma AIRS AI Runtime Firewall; you can use an ISO image or a block storage device on private clouds, or create a bootstrap package within your public cloud storage.
    init-cfg.txt for Strata Cloud Manager-managed Firewallinit-cfg.txt for Panorama-managed Firewall
     
    type=dhcp-client // Use static or dhcp-client
dhcp-accept-server-domain=yes // Required when type=dhcp-client
dhcp-accept-server-hostname=yes // Required when type=dhcp-client
dhcp-send-client-id=yes // Required when type=dhcp-client
dhcp-send-hostname=yes // Required when type=dhcp-client
dgname=host_1_directory
plugin-op-commands=advance-routing:enable
panorama-server=cloud
mgmt-interface-swap=enable (optional, if the firewall is behind a LB) // applicable only for public cloud
dns-primary=10.5.6.6
dns-secondary=10.5.6.7
vm-series-auto-registration-pin-id="9ae5bb4a-d67f-41d9-8295-15b77e90c2c1" //Device Certificate PIN ID.
vm-series-auto-registration-pin-value="f9ef920f8f5845dab3a2b285bedd23ea" //Device Certificate PIN value

    type=static // Use static or dhcp-client
ip-address=10.x.x.19 // Required when type=static
default-gateway=10.x.x.1 // Required when type=static
netmask=255.255.255.0 // Required when type=static
dgname=finance_dg*
vm-auth-key=7550362253*****
plugin-op-commands=advance-routing:enable
panorama-server=10.x.x.20*
panorama-server-2=10.x.x.21*
mgmt-interface-swap=enable (optional, if the firewall is behind a LB) // applicable only for public cloud
tplname=FINANCE_TG4*
// Enter your dns primary and secondary IP addresses
dns-primary=<a1.b1.c1.d1>10.5.6.6
dns-secondary=<a2.b2.c2.d2>
vm-series-auto-registration-pin-id ="9ae5bb4a-d67f-41d9-8295-15b77e90c2c1" //Device Certificate PIN ID.
vm-series-auto-registration-pin-value="f9ef920f8f5845dab3a2b285bedd23ea" //Device Certificate PIN value

    Routing Configuration

    Prisma AIRS AI Runtime Firewall supports different routing configurations based on the management platform. For example, Strata Cloud Manager supports advanced routing with only the Logical Router (LR) for advanced routing in cloud-native environments.
    While, Panorama supports Logical Router (LR) and Virtual Router (VR) for various deployment scenarios; including on-premises and hybrid environments. In existing Panorama deployments, the routing option (LR or VR) depends on the chosen folder configuration:
    • For LR configuration in Strata Cloud Manager and Panorama: set plugin-op-commands= advance-routing:enable
    • For VR configuration in Panorama: no specific parameter needed (default option).
    This section outlines manual deployment steps. For automated deployments using the Terraform template from Strata Cloud Manager, advanced routing is enabled by default, and Logical Router (LR) is the default option when using Panorama for routing configuration.

    Configure Labels in Your Cloud Environment for Manual Deployments

    When deploying the firewall manually, ensure you have the following labels (key-value pairs) in your Terraform template.
    The deployment Terraform you generate from Strata Cloud Manager, automatically adds the required labels to organize your Prisma AIRS AI Runtime Firewall.
    • Add the following labels (key-value pairs) under Tags in the Terraform template file under your downloaded path `<azure|aws-deployment-terraform-path>/architecture/security_project/terraform.tfvars`. The value of these keys must be unique.
    • For GCP: `paloaltonetworks_com-trust` and `paloaltonetworks_com-occupied`.
    • For Azure and AWS: `paloaltonetworks.com-trust` and `paloaltonetworks.com-occupied`.
    • Ensure the network interface name in the security_project Terraform is suffixed by `-trust-vpc`.

    © 2026 Palo Alto Networks, Inc. All rights reserved.