Bootstrap Package

The bootstrap process is initiated only on first boot when the firewall is in a factory default state. When you attach the virtual disk, virtual CD-ROM, or AWS S3 bucket to the firewall, the firewall scans for a bootstrap package and, if one exists, the firewall uses the settings defined in the bootstrap package. If you have included a Panorama server IP address in the file, the firewall connects with Panorama. If the firewall has Internet connectivity, it contacts the licensing server to update the UUID and obtain the license keys and subscriptions. The firewall is then added as an asset in the Palo Alto Networks Support Portal. If the firewall does not have Internet connectivity, it either uses the license keys you included in the bootstrap package or it connects to Panorama, which retrieves the appropriate licenses and deploys them to the managed firewalls.
The bootstrap package that you create must include the following four folders, even if empty:
  • /config folder—Contains the configuration files. The folder can hold two files: init-cfg.txt and the bootstrap.xml. For details see Bootstrap Configuration Files.
    If you intend to pre-register VM-Series firewalls with Panorama with bootstrapping, you must generate a VM auth key on Panorama and include the generated key in the init-cfg file. See Generate the VM Auth Key on Panorama.
  • /license folder—Contains the license keys or auth codes for the licenses and subscriptions that you intend to activate on the firewalls. If the firewall does not have Internet connectivity, you must either manually obtain the license keys from the Palo Alto Networks Support portal or use the Licensing API to obtain the keys and then save each key in this folder. For details, see Prepare the Licenses for Bootstrapping.
    You must include an auth code bundle instead of individual auth codes so that the firewall or orchestration service can simultaneously fetch all license keys associated with a firewall. If you use individual auth codes instead of a bundle, the firewall will retrieve only the license key for the first auth code included in the file.
  • /software folder—Contains the software images required to upgrade a newly provisioned VM-Series firewall to the desired PAN-OS version for your network. You must include all intermediate software versions between the Open Virtualization Format (OVF) version and the final PAN-OS software version to which you want to upgrade the VM-Series firewall.
  • /content folder—Contains the application and threat updates, WildFire updates, and the BrightCloud URL filtering database for the valid subscriptions on the VM-Series firewall. You must include the minimum content versions required for the desired PAN-OS version, without the minimum required content version associated with the PAN-OS version, the VM-Series firewall cannot complete the software upgrade.
The file type used to deliver the bootstrap package to the VM-Series firewall varies based on your hypervisor. Use the table below to determine the file type your hypervisor supports.
External Device for Bootstrapping (Bootstrap Package Format)
ESXi
KVM
Hyper-V
AWS
Azure
KVM in OpenStack
CD-ROM (ISO image)
Yes
Yes
Yes
Virtual Hard Disk (vhd)
Yes
S3 Bucket (ISO image)
Yes
config-drive
Yes
Block Storage Device
Yes
Yes
Yes

Related Documentation