You can create a custom VM-Series firewall
image for later use in your Azure deployment. A custom image gives
you the flexibility and consistency to deploy the VM-Series firewall
with the PAN-OS version you want to use instead of being restricted
to using only an image available though the Azure marketplace. Additionally,
your custom image can include the latest content and antivirus updates.
a custom image requires that you remove all private data—user configuration,
users, plugin configuration, etc—before creating the VHD. Additionally,
Complete the following procedure to prepare and create a custom
If the VM-Series firewall used to create your
custom image was deployed using a premium disk type, any VM-Series firewall
deployed using the custom image must be deployed using the same
premium disk type. However, if you create an image using firewall
deployed with a standard disk type, you can deploy the firewall
using a standard or premium disk type.
Access the VM-Series firewall command line interface
via SSH using the username and password provided in the Azure Marketplace
Verify that you VM-Series firewall has the correct PAN-OS,
VM-Series plugin, content, and antivirus versions.
show system info
BYOL license only
) Deactivate your license.
Perform a private data reset on the VM-Series firewall.
This command requires the firewall to reboot. You must wait for the
VM-Series firewall to reboot complete before continuing; the reboot
can take five to seven minutes.
request system private-data-reset
Create a new VHD image from the VM-Series instance.
Log in to the Azure CLI.
Verify that you are using the correct subscription.
az account set --subscription <subscription-id>
Execute the following commands to generalize the VM,
allowing it to be imaged for multiple deployments, and create the
az vm deallocate --resource-group <myResourceGroup> --name <myVM>
az vm generalize --resource-group <myResourceGroup> --name <myVM>
Create a new VM-Series firewall from your custom image.
az image create --resource-group <myResourceGroup> --name <myImage> --source <resource-id-of-VM>
After deploying a VM-Series firewall with your custom
image, verify your deployment.
You should log in to the firewall using
the credentials you used previously.
After logging in successfully, verify that your firewall
is running the correct PAN-OS version and has the correct content
and antivirus versions.