If you want to pass a script to the VM-Series firewall at boot time, you can mount a CD-ROM with an ISO file. The ISO file allows you to define a bootstrap XML file that includes the initial configuration parameters for the management port of the firewall. The VM-Series firewall on first boot checks for the bootstrap-networkconfig.xml file, and uses the values defined in it.
If a single error is encountered in parsing the bootstrap file, the VM-Series firewall will reject all the configuration in this file and boot with default values.
Create a Bootable ISO File
Create the XML file and define it as a virtual machine instance. For a sample file, see Sample XML file for the VM-Series Firewall. In this example, the VM-Series firewall is called PAN_Firewall_DC1. For example: user-PowerEdge-R510:~/ kvm_script$ sudo vi /etc/libvirt/qemu/PAN_Firewall_DC1.xml user-PowerEdge-R510:~/ kvm_script$ sudo virsh define/etc/libvirt/qemu/PAN_Firewall_DC1.xml Domain PAN_Firewall_DC1_bootstp defined from /etc/libvirt/qemu/PAN_Firewall_DC1.xml user-PowerEdge-R510:~/ kvm_script$ sudo virsh -q attach-interface PAN_Firewall_DC1_bootstp bridge br1 --model=virtio --persistent user-PowerEdge-R510:~/ kvm_script$ virsh list --all Id Name State --------------------------------------------- - PAN_Firewall_DC1_bootstp shut off
Create the bootstrap XML file. You can define the initial configuration parameters in this file and name it bootstrap-networkconfig. If you do not want to include a parameter, for example panorama-server-secondary. Delete the entire line from the file. If you leave the IP address field empty, the file will not be parsed successfully. Use the following example as a template for the bootstrap-networkconfig file. The bootstrap-networkconfig file can include the following parameters only: <vm-initcfg> <hostname>VM_ABC_Company</hostname> <ip-address>10.5.132.162</ip-address> <netmask>255.255.254.0</netmask> <default-gateway>10.5.132.1</default-gateway> <dns-primary>10.44.2.10</dns-primary> <dns-secondary>8.8.8.8</dns-secondary> <panorama-server-primary>10.5.133.4</panorama-server-primary> <panorama-server-secondary>10.5.133.5</panorama-server-secondary> </vm-initcfg>
Create the ISO file. In this example, we use mkisofs. Save the ISO file in the images directory (/var/lib/libvirt/image) or the qemu directory (/etc/libvirt/qemu) to ensure that the firewall has read access to the ISO file. For example: # mkisofs -J -R -v -V "Bootstrap" -A "Bootstrap" -ldots -l -allow-lowercase -allow-multidot -o <iso-filename> bootstrap-networkconfig.xml
Attach the ISO file to the CD-ROM. For example: # virsh -q attach-disk <vm-name> <iso-filename> sdc --type cdrom --mode readonly –persistent\
Sample XML file for the VM-Series Firewall
<?xml version="1.0"?>
<domain type="kvm">
<name>PAN_Firewall_DC1</name>
<memory>4194304</memory>
<currentMemory>4194304</currentMemory>
<vcpu placement="static">2</vcpu>
<os>
<type arch="x86_64">hvm</type>
<boot dev="hd"/>
</os>
<features>
<acpi/>
<apic/>
<pae/>
</features>
<clock offset="utc"/>
<on_poweroff>destroy</on_poweroff>
<on_reboot>restart</on_reboot>
<on_crash>restart</on_crash>
<devices>
<emulator>/usr/libexec/qemu-kvm</emulator>
<disk type="file" device="disk">
<driver type="qcow2" name="qemu"/>
<source file="/var/lib/libvirt/images/panos-kvm.qcow2"/>
<target dev="vda" bus="virtio"/>
</disk>
<controller type="usb" index="0"/>
<controller type="ide" index="0"/>
<controller type="scsi" index="0"/>
<serial type="pty">
<source path="/dev/pts/1"/>
<target port="0"/>
<alias name="serial0"/>
</serial>
<console type="pty" tty="/dev/pts/1">
<source path="/dev/pts/1"/>
<target type="serial" port="0"/>
<alias name="serial0"/>
</console>
<input type="mouse" bus="ps2"/>
<graphics type="vnc" port="5900" autoport="yes"/>
</devices>
</domain>
To modify the number of vCPUs assigned on the VM-Series firewall, change the value 2 to 4 or 8 vCPUs in this line of the sample XML file: <vcpu placement="static"> 2 </vcpu>

Related Documentation