Prepare a USB Flash Drive for Bootstrapping a Firewall
You can use a USB flash drive to bootstrap a physical firewall. However, to do so you must be running a PAN-OS 7.1.0 or later image and Reset the Firewall to Factory Default Settings. For security reasons, you can bootstrap a firewall only when it is in factory default state or has all private data deleted.
- Obtain serial numbers (S/Ns) and auth codes for support subscriptions from your order fulfillment email.
- Register S/Ns of new firewalls on the Customer Support portal.
- Go to support.paloaltonetworks.com, log in, and select.AssetsDevicesRegister New DeviceRegister device using Serial Number or Authorization Code
- Follow the steps to Register the Firewall.
- Activate authorization codes on the Customer Support portal, which creates license keys.
- Go to support.paloaltonetworks.com, log in, and select theon the left-hand navigation pane.AssetsDevices
- For each device S/N you just registered, click theActionlink (the pencil icon).
- Under Activate Licenses, selectActivate Auth-Code.
- Enter theAuthorization codeand clickAgreeandSubmit.
- Add the S/Ns in Panorama.
- Create the init-cfg.txt file.Create the init-cfg.txt file, a mandatory file that provides bootstrap parameters. The fields are described in Sample init-cfg.txt Files.If the init-cfg.txt file is missing, the bootstrap process will fail and the firewall will boot up with the default configuration in the normal boot-up sequence.There are no spaces between the key and value in each field; do not add spaces because they cause failures during parsing on the management server side.You can have multiple init-cfg.txt files—one each for different remote sites—by prepending the S/N to the file name. For example:0008C200105-init-cfg.txt0008C200107-init-cfg.txtIf no prepended filename is present, the firewall uses the init-cfg.txt file and proceeds with bootstrapping.
- (Optional) Create the bootstrap.xml file.The optional bootstrap.xml file is a complete firewall configuration that you can export from an existing production firewall.
- Select.DeviceSetupOperationsExport named configuration snapshot
- Select theNameof the saved or the running configuration.
- Rename the file asbootstrap.xml.
- Create and download the bootstrap bundle from the Customer Support portal.For a physical firewall, the bootstrap bundle requires only the /license and /config directories.Use one of the following methods to create and download the bootstrap bundle:
- UseMethod 1to create a bootstrap bundle specific to a remote site (you have only one init-cfg.txt file).
- UseMethod 2to create one bootstrap bundle for multiple sites.
Method 2Create a tar.gz file on your local system with two top-level directories: /license and /config. Include all licenses and all init-cfg.txt files with S/Ns prepended to the filenames.The license key files you download from the Customer Support portal have the S/N in the license file name. PAN-OS checks the S/N in the file name against the firewall S/N while executing the bootstrap process.
- On your local system, go to support.paloaltonetworks.com and log in.
- Select the S/N of the firewall you want to bootstrap.
- SelectBootstrap Container.
- Upload andOpenthe init-cfg.txt file you created.
- (Optional) Select the bootstrap.xml file you created andUpload Files.You must use a bootstrap.xml file from a firewall of the same model and PAN-OS version.
- SelectBootstrap Container Downloadto download a tar.gz file namedbootstrap_<S/N>_<date>.tar.gzto your local system. This bootstrap container includes the license keys associated with the S/N of the firewall.
- Import the tar.gz file you created to a firewall (that is running a PAN-OS 7.1 or later image) using Secure Copy (SCP) or TFTP.Access the CLI and enter one of the following commands:
- tftp import bootstrap-bundle file <path and filename> from <host IP address>For example:tftp import bootstrap-bundle file /home/userx/bootstrap/devices/pa5000.tar.gz from 10.1.2.3
- scp import bootstrap-bundle from <<user>@<host>:<path to file>>For example:scp import bootstrap-bundle from email@example.com:/home/userx/bootstrap/devices/pa200_bootstrap_bundle.tar.gz
- Prepare the USB flash drive.
- Insert the USB flash drive into the firewall that you used in the prior step.
- Enter the following CLI operational command, using your tar.gz filename in place of “pa5000.tar.gz”. This command formats the USB flash drive, unzips the file, and validates the USB flash drive:request system bootstrap-usb prepare from pa5000.tar.gz
- Pressyto continue. The following message displays when the USB drive is ready:USB prepare completed successfully.
- Remove the USB flash drive from the firewall.
- You can prepare as many USB flash drives as needed.
- Deliver the USB flash drive to your remote site.If you usedMethod 2to create the bootstrap bundle, you can use the same USB flash drive content for bootstrapping firewalls at multiple remote sites. You can translate the content into multiple USB flash drives or a single USB flash drive used multiple times.
Recommended For You
Recommended videos not found.