Create a Custom Amazon Machine Image (v2.1)

Learn how creating a custom Amazon Machine Image (AMI) can speed your deployment process.
A custom VM-Series AMI gives you the consistency and flexibility to deploy a VM-Series firewall with the PAN-OS version you want to use on your network instead of being restricted to using only an AMI that is published to the AWS public Marketplace or to the AWS GovCloud Marketplace. Using a custom AMI speeds up the process of deploying a firewall with the PAN-OS version of your choice because it reduces the time to provision the firewall with an AMI published on the AWS public or AWS GovCloud marketplace, and then perform software upgrades to get to the PAN-OS version you want to use on your network. Additionally, you can use the custom AMI in the Auto Scaling VM-Series Firewalls CloudFormation Templates or any other templates that you have created.
You can create a custom AMI with the BYOL, Bundle 1, or Bundle 2 licenses. The process of creating a custom AMI requires you to remove all configuration from the firewall and perform a private data reset, so in this workflow you’ll launch a new instance of the firewall from the AWS Marketplace instead of using an existing firewall that you have fully configured.
When creating a custom AMI with a BYOL version of the firewall, you must first activate the license on the firewall so that you can access and download PAN-OS content and software updates to upgrade your firewall, and then deactivate the license on the firewall before performing the private data reset and creating the custom AMI. If you do not deactivate the license, you lose the license that you applied on this firewall instance.
  1. Launch the VM-Series firewall from the Marketplace.
  2. Configure the administrative password on the firewall.
  3. (Only for BYOL) Activate the license.
  4. Install latest content on the firewall.
  5. (Only for BYOL) Deactivate the license.
  6. Perform a private data reset.
    A private data reset removes all logs and restores the default configuration.
    The system disks are not erased, so the content updates from Step 4 are intact.
    1. Access the firewall CLI.
    2. Export a copy of the configuration.
    3. Remove all logs and restore the default configuration.
      request system private-data-reset
      Enter y to confirm.
      The firewall reboots to initialize the default configuration.
  7. Create the custom AMI.
    1. Log in to the AWS Console and select the EC2 Dashboard.
    2. Stop the VM-Series firewall.
    3. Select the VM-Series firewall instance, and click ImageCreate Image.
      custom-ami.png
    4. Enter a custom image name, and click Create Image.
      The disk space of 60GB is the minimum requirement.
      custom-ami-create.png
    5. Verify that the custom AMI is created and has the correct product code.
      1. On the EC2 Dashboard, select AMI.
      2. Select the AMI that you just created. Depending on whether you selected an AMI with the BYOL, Bundle 1, or Bundle 2 licensing options, you should see one of the following Product Codes in the details:
        • BYOL—6njl1pau431dv1qxipg63mvah
        • Bundle 1—6kxdw3bbmdeda3o6i1ggqt4km
        • Bundle 2—806j2of0qy5osgjjixq9gqc6g
        custom-ami-verify-product-code.png
  8. Encrypt EBS Volume for the VM-Series Firewall on AWS.
    If you plan to use the custom AMI with EBS encryption for an Auto Scale VM-Series Firewalls with the Amazon ELB Service deployment, you must use the default master key for your AWS account.

Related Documentation