Prepare a USB Flash Drive for Bootstrapping a Firewall
You can use a USB flash drive to bootstrap a physical firewall. However, to do so you must be running a PAN-OS 7.1.0 or later image and Reset the Firewall to Factory Default Settings. For security reasons, you can bootstrap a firewall only when it is in factory default state or has all private data deleted.
- Obtain serial numbers (S/Ns) and auth codes for support subscriptions from your order fulfillment email.
- Register S/Ns of new firewalls on the Customer Support
- Go to support.paloaltonetworks.com, log in, and select AssetsDevicesRegister New Device Register device using Serial Number or Authorization Code.
- Follow the steps to Register the Firewall.
- Click Submit.
- Activate authorization codes on the Customer Support
portal, which creates license keys.
- Go to support.paloaltonetworks.com, log in, and select the AssetsDevices on the left-hand navigation pane.
- For each device S/N you just registered, click the Action link (the pencil icon).
- Under Activate Licenses, select Activate Auth-Code.
- Enter the Authorization code and click Agree and Submit.
- Add the S/Ns in Panorama.Complete Step 1 in Add a Firewall as a Managed Device in the Panorama Administrator’s Guide.
the init-cfg.txt file.Create the init-cfg.txt file, a mandatory file that provides bootstrap parameters. The fields are described in Sample init-cfg.txt Files.If the init-cfg.txt file is missing, the bootstrap process will fail and the firewall will boot up with the default configuration in the normal boot-up sequence.There are no spaces between the key and value in each field; do not add spaces because they cause failures during parsing on the management server side.You can have multiple init-cfg.txt files—one each for different remote sites—by prepending the S/N to the file name. For example:0008C200105-init-cfg.txt0008C200107-init-cfg.txtIf no prepended filename is present, the firewall uses the init-cfg.txt file and proceeds with bootstrapping.
- (Optional) Create the bootstrap.xml file.The optional bootstrap.xml file is a complete firewall configuration that you can export from an existing production firewall.
- Select DeviceSetupOperationsExport named configuration snapshot.
- Select the Name of the saved or the running configuration.
- Click OK.
- Rename the file as bootstrap.xml.
- Create and download the bootstrap bundle from the Customer
Support portal.For a physical firewall, the bootstrap bundle requires only the /license and /config directories.Use one of the following methods to create and download the bootstrap bundle:
- Use Method 1 to create a bootstrap bundle specific to a remote site (you have only one init-cfg.txt file).
- Use Method 2 to create one bootstrap bundle for multiple sites.
Method 2Create a tar.gz file on your local system with two top-level directories: /license and /config. Include all licenses and all init-cfg.txt files with S/Ns prepended to the filenames.The license key files you download from the Customer Support portal have the S/N in the license file name. PAN-OS checks the S/N in the file name against the firewall S/N while executing the bootstrap process.
- On your local system, go to support.paloaltonetworks.com and log in.
- Select Assets.
- Select the S/N of the firewall you want to bootstrap.
- Select Bootstrap Container.
- Click Select.
- Upload and Open the init-cfg.txt file you created.
- (Optional) Select the bootstrap.xml file
you created and Upload Files.You must use a bootstrap.xml file from a firewall of the same model and PAN-OS version.
- Select Bootstrap Container Download to download a tar.gz file named bootstrap_<S/N>_<date>.tar.gz to your local system. This bootstrap container includes the license keys associated with the S/N of the firewall.
the tar.gz file you created to a firewall (that is running a PAN-OS
7.1 or later image) using Secure Copy (SCP) or TFTP.Access the CLI and enter one of the following commands:
- tftp import bootstrap-bundle file <path and filename> from <host IP address>For example:tftp import bootstrap-bundle file /home/userx/bootstrap/devices/pa5000.tar.gz from 10.1.2.3
- scp import bootstrap-bundle from <<user>@<host>:<path to file>>For example:scp import bootstrap-bundle from firstname.lastname@example.org:/home/userx/bootstrap/devices/pa200_bootstrap_bundle.tar.gz
- tftp import bootstrap-bundle file <path and filename> from <host IP address>
- Prepare the USB flash drive.
- Insert the USB flash drive into the firewall that you used in the prior step.
- Enter the following CLI operational command, using
your tar.gz filename in place of “pa5000.tar.gz”.
This command formats the USB flash drive, unzips the file, and validates
the USB flash drive:request system bootstrap-usb prepare from pa5000.tar.gz
- Press y to continue. The following
message displays when the USB drive is ready:USB prepare completed successfully.
- Remove the USB flash drive from the firewall.
- You can prepare as many USB flash drives as needed.
- Deliver the USB flash drive to your remote site.If you used Method 2 to create the bootstrap bundle, you can use the same USB flash drive content for bootstrapping firewalls at multiple remote sites. You can translate the content into multiple USB flash drives or a single USB flash drive used multiple times.
Bootstrap the Firewall
Bootstrap the Firewall Bootstrapping speeds up the process of configuring and licensing the firewall to make it operational on the network with or without Internet ...
Bootstrap the VM-Series Firewall
Bootstrap the VM-Series Firewall Bootstrapping allows you to create a repeatable and streamlined process of deploying new VM-Series firewalls on your network because it allows ...
Bootstrap a Firewall Using a USB Flash Drive
Bootstrap a Firewall Using a USB Flash Drive After you receive a new Palo Alto Networks firewall and a USB flash drive loaded with bootstrap ...
Bootstrap Errors If you receive an error message during the bootstrapping process, refer to the following table for details. Error message (Severity) Reasons Boot image ...
VM-Series Firewall Bootstrap Workflow
VM-Series Firewall Bootstrap Workflow After you familiarize yourself with the Bootstrap Package and assess whether you will want to fully configure the firewall or use ...
USB Flash Drive Support
USB Flash Drive Support The USB flash drive that bootstraps a hardware-based Palo Alto Networks firewall must support one of the following: File Allocation Table ...
Bootstrap the VM-Series Firewall on Google Cloud Platform
Bootstrap the VM-Series Firewall on Google Cloud Platform To bootstrap you must create a specific file structure in a Google storage bucket. You provide the ...
Bootstrap the VM-Series Firewall on KVM in OpenStack
Bootstrap the VM-Series Firewall on KVM in OpenStack You can bootstrap the KVM edition of the VM-Series firewall in an OpenStack environment with: Red Hat ...
Launch the VM-Series Auto Scaling Template for AWS (v1.2)
Launch the VM-Series Auto Scaling Template for AWS (v1.2) Use the following workflow to deploy all the components in this solution using the vpc-classic-v1.2.template or ...