>
    Strata Copilot
    Prisma AIRS AI Runtime Firewall for Private Clouds
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma AIRS
    3. Administration
    4. Prisma AIRS AI Runtime Firewall for Private Clouds
    Download PDF
    Prisma AIRS

    Prisma AIRS AI Runtime Firewall for Private Clouds

    Table of Contents

    Prisma AIRS AI Runtime Firewall for Private Clouds

    This page covers the Prisma AIRS AI Runtime Firewall deployment in private clouds.
    Where Can I Use This?What Do I Need?
    • Prisma AIRSAI Runtime Firewall Security in Private Clouds
    This page covers the Prisma AIRS AI Runtime Firewall deployment in private clouds. It's deployed between the applications in private clouds, interacting with large language model (LLM) models on public clouds. Refer to the public models support table to view a list of public clouds we support. Prisma AIRS AI Runtime Firewall is supported on private clouds, such as ESXi, KVM, OpenShift, and Rancher.
    You can manually deploy and bootstrap the Prisma AIRS AI Runtime Firewall in private cloud environments. The firewall can be managed by Strata Cloud Manager or Panorama.
    Strata Cloud Manager supports only Logical Router (LR) configuration, while Panorama supports both LR and Virtual Router (VR) configurations.
    Refer to the Manually Deploy and Bootstrap Prisma AIRS AI Runtime Firewall for details.
    You can manually deploy Prisma AIRS AI Runtime Firewall in one of the following methods:
    Follow the steps below to deploy Prisma AIRS AI Runtime Firewall in private clouds:
    In this section, you will:
    1. Download a private cloud (ESXi or KVM) image for Prisma AIRS Firewall and create a VM.
    2. Deploy and manually bootstrap the firewall in a private cloud (ESXi or KVM) VM server.
    3. Manage and configure the firewall deployed in the private cloud.
    4. Secure with a security policy rule and push configurations from Strata Cloud Manager or Panorama to the firewall deployed in the private cloud.
    5. Generate traffic and verify that the firewall monitors the traffic against the security policy rules.

    Deploy and Bootstrap

    1. Download the Prisma AIRS AI Runtime Firewall base image for the private cloud (ESXi or KVM).
      1. Log in to the Palo Alto Networks Customer Support Portal.
      2. Select Updates → Software Updates.
      3. In the Content type,
      • Search for PAN-OS for AI Runtime Security ESXi Base Images to download the `PA-VM-ESX-11.2.5-h1.aingfw.ova` image.
      • Search for PAN-OS for AI Runtime Security KVM Base Images to download the `PA-VM-KVM-11.2.5-h1.aingfw.qcow2` image.
      The following setup shows how to bring up a Prisma AIRS AI Runtime Firewall image in ESXi. Follow a similar workflow for KVM.
    2. Create a VM in ESXi server with an OVF or OVA file type using the image you downloaded:
      • Enter a name for the VM.
      • Upload the ESXi image (*.ova file) in the OVA image field.
      • Configure the three interfaces - management, client-side, and server-side.
      • Configure the VM with a minimum of 2 CPUs and 4.5 GB of memory.
      • Finish.
    3. Manually Deploy and bootstrap Prisma AIRS AI Runtime Firewall.
      1. On your local client or laptop, or in a public cloud storage bucket, create the following folders:
        content
software
plugins
license
config
      2. Create a file named `auth codes` in the license folder, and paste the VM authcode in it without any leading or trailing spaces or new lines.
        vim license/authcodes // Paste your auth code in this file.
      3. Create the init-cfg.txt file in the config folder to save the bootstrapping parameters. (Refer to Manually Deploy and Bootstrap Prisma AIRS AI Runtime Firewall for details).
        vim config/init-cfg.txt

type=static
ip-address=10.3.254.85 //
default-gateway=10.3.254.1
netmask=255.255.255.0
hostname=demo-esxi
panorama-server=cloud // For Strata Cloud managed firewall
panorama-server=10.x.x.20* // Panorama server 1 IP address, for Panorama managed firewall only
panorama-server-2=10.x.x.21* // Panorama server 1 IP address, for Panorama managed firewall only
plugin-op-commands=advance-routing:enable // For both Strata Cloud Manager and Panorama
dgname=esxi-demo
dns-primary=8.8.8.8
dns-secondary=10.55.66.11
vm-series-auto-registration-pin-id=9f72117c-e9b3-4f43-b4c2-9ab0f259e249
vm-series-auto-registration-pin-value=cb4cc73d1b6c4568b1ca1f2a3bb88ee2
      4. Create an ISO image and boot up the private cloud VM from this `ISO` image. This automatically bootstraps the parameters you provided.
    4. Manage Prisma AIRS AI Runtime Firewall deployed in private clouds. See here to configure interfaces, zones, security policy rules, and routers in private cloud. Refer to the configurations for the firewalls managed by Strata Cloud Manager or managed by Panorama.

    Verify Bootstrap Completion

    1. Private Cloud: Connect to your private cloud VM (ESXi or KVM) and run the following command to view the bootstrapped parameters:
      $show system info

# Review the output for the following key values:

ip-address: <ip-address> // IP address of the AI firewall deployed in private cloud
model: AI-Runtime-Security
serial: xxxxxxxx <note this serial number>
vm-license: AI-RUNTIME-SECURITY-2
software-version: 11.2.5-h1
vm-mode: VMWare ESXi  // vm-mode: KVM for KVM cloud
vm-cpuid: AIESX:F1060400FFFB8B1F (only for ESXi)
vm-cpuid: AIKVM:<number>
cloud-mode: non-cloud // For private cloud
advanced-routing: on
device-certificate-status: Valid

// Confirm the success status of the bootstrap phases
show system bootstrap status

// Look for `commitAll` jobs indicating the configurations are being forwarded to the firewall in the ESXi server
show jobs All
    2. Strata Cloud Manager: Verify that the firewall device with the above serial number shows as Connected and is In Sync under System Settings Device Management.

    Monitor and Secure Traffic in Private Clouds

    1. Create an AI security policy rule and attach an AI security profile for the Prisma AIRS Firewall managed by Strata Cloud Manager or Panorama.
    2. Push the security configuration to the Prisma AIRS AI Runtime Firewall to monitor the traffic against these rules.
      Refer to the security push configuration steps for Panorama and Strata Cloud Manager
    3. Generate traffic between your server and the ESXi server secured by Prisma AIRS AI Runtime Firewall.
      See the system session details to see the security policy you created earlier being enforced on the traffic and the interfaces.
    4. Investigate the log viewer for threat logs and AI Security logs in Strata Cloud Manager or Panorama.

    © 2026 Palo Alto Networks, Inc. All rights reserved.