Create a Custom Amazon Machine Image (AMI)

A custom VM-Series AMI gives you the consistency and flexibility to deploy a VM-Series firewall with the PAN-OS version you want to use on your network instead of being restricted to using only an AMI that is published to the AWS public Marketplace or to the AWS GovCloud Marketplace. Using a custom AMI speeds up the process of deploying a firewall with the PAN-OS version of your choice because it reduces the time to provision the firewall with an AMI published on the AWS public or AWS GovCloud marketplace, and then performing software upgrades to get to the PAN-OS version you have qualified or want to use on your network. Additionally, you can then use the custom AMI in the Auto Scaling VM-Series Firewalls CloudFormation Templates or any other templates that you have created.
You can create a custom AMI with the BYOL, Bundle 1, or Bundle 2 licenses. The process of creating a custom AMI requires you to remove all configuration from the firewall and reset it to factory defaults, so in this workflow you’ll launch a new instance of the firewall from the AWS Marketplace instead of using an existing firewall that you have fully configured.
When creating a custom AMI with a BYOL version of the firewall, you must first activate the license on the firewall so that you can access and download PAN-OS software updates to upgrade your firewall, and then deactivate the license on the firewall before you reset the firewall to factory defaults and create the custom AMI. If you do not deactivate the license, you lose the license that you applied on this firewall instance.
  1. Launch the VM-Series firewall from the Marketplace.
    See 3
  2. Configure the administrative password on the firewall.
    See 4
  3. (Only for BYOL) Activate the license.
  4. Install software updates and upgrade the firewall to the PAN-OS version you plan to use.
  5. (Only for BYOL) Deactivate the license.
  6. Perform a factory reset.
    A factory reset allows you to remove any configuration on the firewall for the custom AMI.
    1. Access the firewall CLI.
    2. Access the Maintenance Recovery Tool (MRT) to reboot the firewall in to maintenance mode.
      Use the CLI command debug system maintenance-mode and enter y to confirm. It will take approximately 2 to 3 minutes for the firewall to boot to the MRT. During this time, your SSH session will disconnect.
    3. Log in as ec2-user and select the SSH public key that you used when you launched the firewall.
    4. Select ContinueFactory Reset to access the menu.
      Do not reboot the firewall, otherwise you will need to start over again.
  7. Create the custom AMI.
    1. Log in to the AWS Console and select the EC2 Dashboard.
    2. Stop the VM-Series firewall.
    3. Select the VM-Series firewall instance, and click ImageCreate Image.
      custom-ami.png
    4. Enter a custom image name, and click Create Image.
      The disk space of 60GB is the minimum requirement.
      custom-ami-create.png
    5. Verify that the custom AMI is created and has the correct product code.
      1. On the EC2 Dashboard, select AMI.
      2. Select the AMI that you just created. Depending on whether you selected an AMI with the BYOL, Bundle 1, or Bundle 2 licensing options, you should see one of the following Product Codes in the details:
        • BYOL—6njl1pau431dv1qxipg63mvah
        • Bundle 1—6kxdw3bbmdeda3o6i1ggqt4km
        • Bundle 2—806j2of0qy5osgjjixq9gqc6g
        custom-ami-verify-product-code.png
  8. Encrypt EBS Volume for the VM-Series Firewall on AWS.
    If you plan to use the custom AMI with EBS encryption for an Auto Scale VM-Series Firewalls with the Amazon ELB Service deployment, you must use the default master key for your AWS account.

Related Documentation