Manually Deploy and Bootstrap Prisma AIRS AI Runtime: Network Intercept
Focus
Focus
Prisma AIRS

Manually Deploy and Bootstrap Prisma AIRS AI Runtime: Network Intercept

Table of Contents

Manually Deploy and Bootstrap Prisma AIRS AI Runtime: Network Intercept

Manually Deploy and bootstrap Prisma AIRS AI Runtime: Network intercept for public and private clouds.
Where Can I Use This?What Do I Need?
  • Manual Bootstrapping for Prisma AIRS AI Runtime: Network Intercept
This page covers the configurations to manually deploy and bootstrap Prisma AIRS AI Runtime: Network intercept in public and private clouds.
Download the firewall image from your cloud marketplace, configure bootstrap parameters, and deploy the firewall with the Terraform module. After deployment, you can manage the firewall using either Strata Cloud Manager or Panorama to push security policy rules and configurations to the firewall.
  1. Log in to your cloud Marketplace, such as AWS, Azure, and GCP.
  2. Search for AI Runtime Security.
  3. Select Launch or Get it Now as per your marketplace terminology and follow the configurations.
  4. Choose a Bootstrap Method:
    • init-cfg.txt(applicable for public and private clouds).
    • User data (applicable only for public cloud).
    • AWS secret manager (applicable only for AWS cloud).
  5. Download the Terraform module for your cloud architecture.

Bootstrapping Parameters for init-cfg.txt File

The sample init-cfg.txt file contains the parameters to bootstrap the Prisma AIRS AI Runtime: Network intercept; you can use an ISO image or a block storage device on private clouds, or create a bootstrap package within your public cloud storage.
init-cfg.txt for Strata Cloud Manager-managed Firewallinit-cfg.txt for Panorama-managed Firewall
type=dhcp-client // Use static or dhcp-client dhcp-accept-server-domain=yes // Required when type=dhcp-client dhcp-accept-server-hostname=yes // Required when type=dhcp-client dhcp-send-client-id=yes // Required when type=dhcp-client dhcp-send-hostname=yes // Required when type=dhcp-client dgname=host_1_directory plugin-op-commands=advance-routing:enable panorama-server=cloud mgmt-interface-swap=enable (optional, if the firewall is behind a LB) // applicable only for public cloud dns-primary=10.5.6.6 dns-secondary=10.5.6.7 vm-series-auto-registration-pin-id="9ae5bb4a-d67f-41d9-8295-15b77e90c2c1" //Device Certificate PIN ID. vm-series-auto-registration-pin-value="f9ef920f8f5845dab3a2b285bedd23ea" //Device Certificate PIN value
type=static // Use static or dhcp-client ip-address=10.x.x.19 // Required when type=static default-gateway=10.x.x.1 // Required when type=static netmask=255.255.255.0 // Required when type=static dgname=finance_dg* vm-auth-key=7550362253***** plugin-op-commands=advance-routing:enable panorama-server=10.x.x.20* panorama-server-2=10.x.x.21* mgmt-interface-swap=enable (optional, if the firewall is behind a LB) // applicable only for public cloud tplname=FINANCE_TG4* // Enter your dns primary and secondary IP addresses dns-primary=<a1.b1.c1.d1>10.5.6.6 dns-secondary=<a2.b2.c2.d2> vm-series-auto-registration-pin-id ="9ae5bb4a-d67f-41d9-8295-15b77e90c2c1" //Device Certificate PIN ID. vm-series-auto-registration-pin-value="f9ef920f8f5845dab3a2b285bedd23ea" //Device Certificate PIN value

Routing Configuration

Prisma AIRS AI Runtime: Network intercept supports different routing configurations based on the management platform. For example, Strata Cloud Manager supports advanced routing with only the Logical Router (LR) for advanced routing in cloud-native environments.
While, Panorama supports Logical Router (LR) and Virtual Router (VR) for various deployment scenarios; including on-premises and hybrid environments. In existing Panorama deployments, the routing option (LR or VR) depends on the chosen folder configuration:
  • For LR configuration in Strata Cloud Manager and Panorama: set plugin-op-commands= advance-routing:enable
  • For VR configuration in Panorama: no specific parameter needed (default option).
This section outlines manual deployment steps. For automated deployments using the Terraform template from Strata Cloud Manager, advanced routing is enabled by default, and Logical Router (LR) is the default option when using Panorama for routing configuration.

Configure Labels in Your Cloud Environment for Manual Deployments

When deploying the firewall manually, ensure you have the following labels (key-value pairs) in your Terraform template.
The deployment Terraform you generate from Strata Cloud Manager, automatically adds the required labels to organize your Prisma AIRS AI Runtime: Network intercept.
  • Add the following labels (key-value pairs) under Tags in the Terraform template file under your downloaded path `<azure|aws-deployment-terraform-path>/architecture/security_project/terraform.tfvars`. The value of these keys must be unique.
  • For GCP: `paloaltonetworks_com-trust` and `paloaltonetworks_com-occupied`.
  • For Azure and AWS: `paloaltonetworks.com-trust` and `paloaltonetworks.com-occupied`.
  • Ensure the network interface name in the security_project Terraform is suffixed by `-trust-vpc`.