Prisma AIRS
Manually Deploy and Bootstrap Prisma AIRS AI Runtime: Network Intercept
Table of Contents
Manually Deploy and Bootstrap Prisma AIRS AI Runtime: Network Intercept
Manually Deploy and bootstrap Prisma AIRS AI Runtime: Network
intercept for public and private clouds.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Download the firewall image from your cloud marketplace, configure
bootstrap parameters, and deploy the firewall with the Terraform module. After
deployment, you can manage the firewall using either Strata Cloud Manager or
Panorama to push security policy rules and configurations to the
firewall.
- Log in to your cloud Marketplace, such as AWS, Azure, and GCP.Search for AI Runtime Security.Select Launch or Get it Now as per your marketplace terminology and follow the configurations.Choose a Bootstrap Method:
- init-cfg.txt(applicable for public and private clouds).
- User data (applicable only for public cloud).
- AWS secret manager (applicable only for AWS cloud).
Download the Terraform module for your cloud architecture.Bootstrapping Parameters for init-cfg.txt File
The sample init-cfg.txt file contains the parameters to bootstrap the Prisma AIRS AI Runtime: Network intercept; you can use an ISO image or a block storage device on private clouds, or create a bootstrap package within your public cloud storage.init-cfg.txt for Strata Cloud Manager-managed Firewall init-cfg.txt for Panorama-managed Firewall type=dhcp-client // Use static or dhcp-client dhcp-accept-server-domain=yes // Required when type=dhcp-client dhcp-accept-server-hostname=yes // Required when type=dhcp-client dhcp-send-client-id=yes // Required when type=dhcp-client dhcp-send-hostname=yes // Required when type=dhcp-client dgname=host_1_directory plugin-op-commands=advance-routing:enable panorama-server=cloud mgmt-interface-swap=enable (optional, if the firewall is behind a LB) // applicable only for public cloud dns-primary=10.5.6.6 dns-secondary=10.5.6.7 vm-series-auto-registration-pin-id="9ae5bb4a-d67f-41d9-8295-15b77e90c2c1" //Device Certificate PIN ID. vm-series-auto-registration-pin-value="f9ef920f8f5845dab3a2b285bedd23ea" //Device Certificate PIN valuetype=static // Use static or dhcp-client ip-address=10.x.x.19 // Required when type=static default-gateway=10.x.x.1 // Required when type=static netmask=255.255.255.0 // Required when type=static dgname=finance_dg* vm-auth-key=7550362253***** plugin-op-commands=advance-routing:enable panorama-server=10.x.x.20* panorama-server-2=10.x.x.21* mgmt-interface-swap=enable (optional, if the firewall is behind a LB) // applicable only for public cloud tplname=FINANCE_TG4* // Enter your dns primary and secondary IP addresses dns-primary=<a1.b1.c1.d1>10.5.6.6 dns-secondary=<a2.b2.c2.d2> vm-series-auto-registration-pin-id ="9ae5bb4a-d67f-41d9-8295-15b77e90c2c1" //Device Certificate PIN ID. vm-series-auto-registration-pin-value="f9ef920f8f5845dab3a2b285bedd23ea" //Device Certificate PIN valueRouting Configuration
Prisma AIRS AI Runtime: Network intercept supports different routing configurations based on the management platform. For example, Strata Cloud Manager supports advanced routing with only the Logical Router (LR) for advanced routing in cloud-native environments.While, Panorama supports Logical Router (LR) and Virtual Router (VR) for various deployment scenarios; including on-premises and hybrid environments. In existing Panorama deployments, the routing option (LR or VR) depends on the chosen folder configuration:- For LR configuration in Strata Cloud Manager and Panorama: set plugin-op-commands= advance-routing:enable
- For VR configuration in Panorama: no specific parameter needed (default option).
This section outlines manual deployment steps. For automated deployments using the Terraform template from Strata Cloud Manager, advanced routing is enabled by default, and Logical Router (LR) is the default option when using Panorama for routing configuration.Configure Labels in Your Cloud Environment for Manual Deployments
When deploying the firewall manually, ensure you have the following labels (key-value pairs) in your Terraform template.The deployment Terraform you generate from Strata Cloud Manager, automatically adds the required labels to organize your Prisma AIRS AI Runtime: Network intercept.- Add the following labels (key-value pairs) under Tags in the Terraform template file under your downloaded path `<azure|aws-deployment-terraform-path>/architecture/security_project/terraform.tfvars`. The value of these keys must be unique.
- For GCP: `paloaltonetworks_com-trust` and `paloaltonetworks_com-occupied`.
- For Azure and AWS: `paloaltonetworks.com-trust` and `paloaltonetworks.com-occupied`.
- Ensure the network interface name in the security_project Terraform is suffixed by `-trust-vpc`.