Launch a VM-Series firewall in AWS from the AWS Marketplace using the bootstrap files provided in the GitHub repository, modify the firewall configuration for your production environment and export the configuration to create a new bootstrap.xml file that you can now use for the CFT.
Option 1: Customize the Bootstrap.xml File
To launch the firewall see
Bootstrap the VM-Series Firewall in AWS.
Add an elastic network interface (ENI) and associate an elastic IP address (EIP) to it, so that you can access the web interface on the VM-Series firewall. See
Launch the VM-Series Firewall in AWS for details.
Use the EIP address to log in to the firewall web interface with admin as the username and password.
Add a secure password for the admin user account (
Device > Local User Database > Users).
(Optional) Configure the firewall for securing your production environment.
Policies > NAT
to verify the firewall has the NAT policy rule required for the CFT. The NAT policy rule is included in the bootstrap.xml file, and is required to avoid blackholing traffic. The NAT policy rule routes traffic to the internal ELB and ensures symmetric return of the traffic from the web servers.
the changes on the firewall.Generate a new API key
for the administrator account. Copy this new key to a new file. You will need to enter this API key when you launch the CFT; the AWS services use the API key to deploy the firewall and to publish metrics for auto scaling.
Export the configuration file and save it as
Device > Setup > Operation > Export Named Configuration Snapshot).
Open the bootstrap.xml file with a text editing tool and delete the management interface configuration.