: Bootstrap the VM-Series Firewall on AWS
Focus
Focus

Bootstrap the VM-Series Firewall on AWS

Table of Contents
End-of-Life (EoL)

Bootstrap the VM-Series Firewall on AWS

  1. Prepare an S3 bucket, and an IAM role to enable read access.
    To bootstrap using a file, you must be familiar with AWS S3 and IAM permissions required for completing this process. For detailed instructions on creating policy, refer to the AWS documentation on Creating Customer Managed Polices.
    The management interface of the VM-Series firewall must be able to access the S3 bucket to complete bootstrapping. You can either assign a public IP address or an elastic IP address to the management interface so that the S3 bucket can be accessed over the Internet. Or, create a AWS VPC endpoint in the same region as the S3 bucket, if you prefer to create a private connection between your VPC and the S3 bucket and do not want to enable internet access on the firewall management interface. For more information refer to the AWS documentation on setting up VPC endpoints.
    If PA-VM is deployed in any of the non-default regions such as Asia Pacific (Hong Kong) and Africa (Cape Town), bootstrapping works only if you use local S3 buckets. This is inline with the default AWS behavior for those regions to restrict interactions with the AWS resources on other regions.
    1. Create an IAM role with inline policy to enable read access to the S3 bucket [ListBucket, GetObject]. For detailed instructions on creating an IAM role, defining which accounts or AWS services can assume the role, defining which API actions and resources the application can use upon assuming the role, refer to the AWS documentation on IAM Roles for Amazon EC2. When launching the VM-Series firewall, you must attach this role to enable access to the S3 bucket and the objects included in the bucket for bootstrapping successfully.
    2. On the AWS console, create an Amazon Simple Storage Service (S3) bucket, or create a subdirectory in an existing S3 bucket.
      The S3 bucket in the following example, vmseries-aws-bucket, is at the All Buckets root folder level.
      {    "Version": "2012-10-17",    "Statement": [    {       "Effect": "Allow",       "Action": ["s3:ListBucket"],       "Resource": ["arn:aws:s3:::<bucketname>"]    },    {       "Effect": "Allow",       "Action": ["s3:GetObject"],       "Resource": ["arn:aws:s3:::<bucketname>/*"]       }    ] }
    3. Create the folders within the S3 bucket as described in Prepare the Bootstrap Package.
      • Create the structure directly in your S3 bucket.
      • (Optional)
        Add content within each folder. You can leave a folder empty, but you must have all the \config, \content, \license, and \software folders. The \plugins folder is optional.
      If you have enabled logging in Amazon S3, a Logs folder is automatically created in the S3 bucket. The Logs folder helps troubleshoot issues with access to the S3 bucket.
  2. Launch the VM-Series firewall on AWS. Choose one of the following.
    • init-cfg.txt
      —If you are using a file to configure the firewall, attach the IAM role you created in Step 2.1, expand the
      Advanced Details
      section, and in the
      User Data
      field, specify the path to an S3 bucket, directory, or subdirectory. For example,
      vmseries-bootstrap-aws-s3bucket=
      <bucketname>
      or
      vmseries-bootstrap-aws-s3bucket=
      <bucketname/directoryname>
    • User Data
      —If you are using user data to configure the firewall, expand the
      Advanced Details
      section and in the
      User Data
      field enter the initial bootstrap parameters as described in Enter a Basic Configuration as User Data (Public Clouds).
    • AWS Secrets Manager
      —If you stored your basic configuration as described in Save a Basic Configuration in the AWS Secrets Manager, expand the
      Advanced Details
      section and in the
      User Data
      field choose
      As text
      and enter the secret name as a key-value pair. For example:
      Select
      Review and Launch
      . For more details, see Launch the VM-Series firewall on AWS.
  3. Verify Bootstrap Completion. Select the firewall instance on the AWS Management console and choose
    Actions
    Instance Settings
    Get Instance Screenshot
    .
    • The screenshot shows bootstrapping in progress. A successful bootstrap is shown below:
    • If you are using an S3 bucket and the S3 bucket does not have the correct permissions or you do not have all four folders in the S3 bucket, you see the following error message:

Recommended For You