Administration
  • Administration
  • AI Runtime Security Documentation
  • All Documentation
>
Manually Deploy and Bootstrap AI Runtime Security: Network Intercept
Focus
Download PDF
Focus
  1. Home
  2. AI Runtime Security
  3. Administration
  4. Manually Deploy and Bootstrap AI Runtime Security: Network Intercept
Download PDF
AI Runtime Security

Manually Deploy and Bootstrap AI Runtime Security: Network Intercept

Table of Contents

Manually Deploy and Bootstrap AI Runtime Security: Network Intercept

Manually Deploy and bootstrap AI Runtime Security: Network intercept for public and private clouds.
This page covers the configurations to manually deploy and bootstrap AI Runtime Security: Network intercept in public and private clouds.
Download the firewall image from your cloud marketplace, configure bootstrap parameters, and deploy the firewall. After deployment, you can manage the firewall using either Strata Cloud Manager or Panorama to push security policy rules and configurations to the firewall.
Where Can I Use This?What Do I Need?
  • Manual Bootstrapping for AI Runtime Security: Network Intercept
  1. Launch AI Runtime Security: Network intercept image from your cloud marketplace.
  2. Choose a Bootstrap Method:
    • init-cfg.txt(applicable for public and private clouds).
    • User data (applicable only for public cloud).
    • AWS secret manager (applicable only for public cloud).

Bootstrapping Parameters for init-cfg.txt File

The sample init-cfg.txt file contains the parameters to bootstrap the AI Runtime Security: Network intercept (AI firewall); you can use an ISO image or a block storage device on private clouds, or create a bootstrap package within your public cloud storage.
init-cfg.txt for Strata Cloud Manager-managed Firewallinit-cfg.txt for Panorama-managed Firewall
 
type=dhcp-client // Use static or dhcp-client
dhcp-accept-server-domain=yes // Required when type=dhcp-client
dhcp-accept-server-hostname=yes // Required when type=dhcp-client
dhcp-send-client-id=yes // Required when type=dhcp-client
dhcp-send-hostname=yes // Required when type=dhcp-client
dgname=host_1_directory
plugin-op-commands=advance-routing:enable
panorama-server=cloud
mgmt-interface-swap=enable (optional, if the firewall is behind a LB) // applicable only for public cloud
dns-primary=10.5.6.6
dns-secondary=10.5.6.7
vm-series-auto-registration-pin-id="9ae5bb4a-d67f-41d9-8295-15b77e90c2c1" //Device Certificate PIN ID.
vm-series-auto-registration-pin-value="f9ef920f8f5845dab3a2b285bedd23ea" //Device Certificate PIN value

type=static // Use static or dhcp-client
ip-address=10.x.x.19 // Required when type=static
default-gateway=10.x.x.1 // Required when type=static
netmask=255.255.255.0 // Required when type=static
dgname=finance_dg*
vm-auth-key=7550362253*****
plugin-op-commands=advance-routing:enable
panorama-server=10.x.x.20*
panorama-server-2=10.x.x.21*
mgmt-interface-swap=enable (optional, if the firewall is behind a LB) // applicable only for public cloud
tplname=FINANCE_TG4*
// Enter your dns primary and secondary IP addresses
dns-primary=<a1.b1.c1.d1>10.5.6.6
dns-secondary=<a2.b2.c2.d2>
vm-series-auto-registration-pin-id ="9ae5bb4a-d67f-41d9-8295-15b77e90c2c1" //Device Certificate PIN ID.
vm-series-auto-registration-pin-value="f9ef920f8f5845dab3a2b285bedd23ea" //Device Certificate PIN value

Routing Configuration

AI Runtime Security supports different routing configurations based on the management platform. Strata Cloud Manager supports advanced routing with only Logical Router (LR) only for advanced routing in cloud-native environments.
Panorama supports Logical Router (LR) and Virtual Router (VR) for various deployment scenarios, including on-premises and hybrid environments. In existing Panorama deployments, the routing option (LR or VR) depends on the chosen folder configuration:
  • For LR configuration in Strata Cloud Manager and Panorama: set plugin-op-commands= advance-routing:enable
  • For VR configuration in Panorama: no specific parameter needed (default option).
This section outlines manual deployment steps. For automated deployments using the Terraform template from Strata Cloud Manager, advanced routing is enabled by default, and Logical Router (LR) is the default option when using Panorama for routing configuration.

Configure Labels in Your Cloud Environment for Manual Deployments

When deploying the firewall manually, ensure you have the following labels (key-value pairs) in your Terraform template.
The deployment Terraform you generate from Strata Cloud Manager, automatically adds the required labels to organize your AI Runtime Security: network intercept.
  • Add the following labels (key-value pairs) under Tags in the Terraform template file under your downloaded path `<azure|aws-deployment-terraform-path>/architecture/security_project/terraform.tfvars`. The value of these keys must be unique.
  • For GCP: `paloaltonetworks_com-trust` and `paloaltonetworks_com-occupied`.
  • For Azure and AWS: `paloaltonetworks.com-trust` and `paloaltonetworks.com-occupied`.
  • Ensure, the network interface name in the security_project Terraform is suffixed by `-trust-vpc`.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.