Whether you are deploying a VM-Series firewall (on-demand deployment) or a hardware-based Palo Alto Networks next-generation firewall (mass rollout to remote sites), the bootstrapping process provides an agile, consistent, and scalable process for setting up a firewall with or without Internet access. PAN-OS support bootstrapping capability on all hardware-based firewalls and on VM-Series firewalls in the private cloud (ESXi, KVM, and Hyper-V) and public cloud (AWS and Azure). Additionally, starting with PAN-OS 7.1.4, PAN-OS supports bootstrapping in KVM in OpenStack.
Bootstrapping speeds up the process of configuring and licensing the firewall and making it operational on the network. This process allows you to choose whether to configure the firewall with only a basic configuration (init-cfg.txt file) so that it can connect to Panorama and obtain the complete configuration or to fully configure the firewall with the basic configuration and the optional bootstrap.xml file. When you include both files in the bootstrap package, the firewall merges the configurations from both of those files and, if any configuration settings overlap between the two, the firewall uses the settings defined in the init-cfg.txt file.
The following table shows the supported external devices and formats required for bootstrapping the firewall.
External Device for Bootstrapping (Bootstrap Package Format) Hardware Firewalls VM-Series Firewalls (Hypervisor Type)
ESXi KVM Hyper-V AWS Azure KVM in OpenStack NSX
CD-ROM (.iso) Yes Yes Yes N/A
Disk (.vhd) Yes
S3 Bucket Yes
USB Flash Drive (tar.gz) Yes
Config-Drive Yes
Use the following high-level workflows to guide you when bootstrapping:
Bootstrap a Hardware-Based Firewall
Bootstrap a Hardware-Based Firewall
Upgrade the Firewall to PAN-OS 7.1 and Reset the Firewall to Factory Default Settings. For security reasons, you can only bootstrap a firewall when it is a factory default state. To bootstrap a hardware-based firewall, you must first upgrade the firewall to PAN-OS 7.1 and perform a factory reset or private data reset on it. When firewalls ship with PAN-OS 7.1 preloaded on it, the bootstrap capability will be available out-of-the-box.
Prepare a USB Flash Drive for Bootstrapping a Firewall.
Bootstrap a Firewall Using a USB Flash Drive.
Verify Bootstrap Completion. For details on bootstrapping the hardware-based firewall, refer to Bootstrap the Firewall.
Bootstrap a VM-Series Firewall
Bootstrap a VM-Series Firewall
For security reasons, you can only bootstrap a firewall when it is in factory default state. If you want to bootstrap a VM-Series firewall that has been previously configured, Reset the Firewall to Factory Default Settings.
Prepare the Bootstrap Package.
Place the bootstrap package in the format required by your hypervisor and bootstrap the VM-Series firewall. ESXi Hyper-V KVM AWS Azure KVM in OpenStack
Verify Bootstrap Completion. For details on bootstrapping the VM-Series firewall, refer to Bootstrap the Firewall.

Related Documentation