To perform bootstrapping, you must be familiar with AWS S3 and IAM permissions required for completing this process. For detailed instructions on creating policy, refer to the AWS documentation on Creating Customer Managed Polices.
The management interface of the VM-Series firewall must be able to access the S3 bucket to complete bootstrapping. You can either assign a public IP address or an elastic IP address to the management interface so that the S3 bucket can be accessed over the Internet. Or, create a AWS VPC endpoint in the same region as the S3 bucket, if you prefer to create a private connection between your VPC and the S3 bucket and do not want to enable internet access on the firewall management interface. For more information refer to the AWS documentation on setting up VPC endpoints.
Bootstrap the firewall in AWS
On the AWS console, create an Amazon Simple Storage Service (S3) bucket at the root-level. The S3 bucket in this example, vmseries-aws-bucket is at the All Buckets root folder level. Bootstrap will fail if you nest the folder because you cannot specify a path to the location of the bootstrap files.
Create an IAM role with inline policy to enable read access to the S3 bucket [ListBucket, GetObject]. For detailed instructions on creating an IAM role, defining which accounts or AWS services can assume the role, defining which API actions and resources the application can use upon assuming the role, refer to the AWS documentation on IAM Roles for Amazon EC2. When launching the VM-Series firewall, you must attach this role to enable access to the S3 bucket and the objects included in the bucket for bootstrapping successfully. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["s3:ListBucket"], "Resource": ["arn:aws:s3:::<bucketname>"] }, { "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": ["arn:aws:s3:::<bucketname>/*"] } ] }
Create the folders within the S3 bucket. Create the top-level directory structure for the bootstrap package. Create the structure directly in this S3 bucket.
Add content within each folder. You can leave a folder empty, but you must have all the four folders. If you have enabled logging in Amazon S3, a Logs folder is automatically created in the S3 bucket. The Logs folder helps troubleshoot issues with access to the S3 bucket.
Launch the VM-Series Firewall in AWS. When launching the firewall as an EC2 instance, attach the IAM role you created in Step 2 and in the user data field (Advanced section), specify the following S3 keyvalue: vmseries-bootstrap-aws-s3bucket=<bucketname>
Verify Bootstrap Completion.

Related Documentation