To perform bootstrapping, you must be familiar
with AWS S3 and IAM permissions required for completing this process.
For detailed instructions on creating policy, refer to the AWS documentation
on Creating Customer Managed Polices.
management interface of the VM-Series firewall must be able to access
the S3 bucket to complete bootstrapping. You can either assign a
public IP address or an elastic IP address to the management interface
so that the S3 bucket can be accessed over the Internet. Or, create a
AWS VPC endpoint in the same region as the S3 bucket, if you prefer
to create a private connection between your VPC and the S3 bucket
and do not want to enable internet access on the firewall management
interface. For more information refer to the AWS documentation on
setting up VPC endpoints.
On the AWS console, create an Amazon Simple Storage
Service (S3) bucket at the root-level. The S3 bucket in this example,
vmseries-aws-bucket is at the All Buckets root folder level. Bootstrap
will fail if you nest the folder because you cannot specify a path
to the location of the bootstrap files.
an IAM role with inline policy to enable read access to the S3 bucket
[ListBucket, GetObject]. For detailed instructions on creating an
IAM role, defining which accounts or AWS services can assume the
role, defining which API actions and resources the application can
use upon assuming the role, refer to the AWS documentation on IAM Roles for Amazon EC2. When launching
the VM-Series firewall, you must attach this role to enable access
to the S3 bucket and the objects included in the bucket for bootstrapping
you have enabled logging in Amazon S3, a Logs folder is automatically
created in the S3 bucket. The Logs folder helps troubleshoot issues
with access to the S3 bucket.
the VM-Series Firewall on AWS. When launching the firewall
as an EC2 instance, attach the IAM role you created in step 2 and in the user data field (Advanced section),
specify the following S3 keyvalue: