Create a Custom Amazon Machine Image (AMI)
A custom VM-Series AMI gives you the consistency and flexibility to deploy a VM-Series firewall with the PAN-OS version you want to use on your network instead of being restricted to using only an AMI that is published to the AWS public Marketplace or to the AWS GovCloud Marketplace. Using a custom AMI speeds up the process of deploying a firewall with the PAN-OS version of your choice because it reduces the time to provision the firewall with an AMI published on the AWS public or AWS GovCloud marketplace, and then performing software upgrades to get to the PAN-OS version you have qualified or want to use on your network. Additionally, you can then use the custom AMI in the Auto Scaling VM-Series Firewalls CloudFormation Templates or any other templates that you have created.
You can create a custom AMI with the BYOL, Bundle 1, or Bundle 2 licenses. The process of creating a custom AMI requires you to remove all configuration from the firewall and reset it to factory defaults, so in this workflow you’ll launch a new instance of the firewall from the AWS Marketplace instead of using an existing firewall that you have fully configured.
When creating a custom AMI with a BYOL version of the firewall, you must first activate the license on the firewall so that you can access and download PAN-OS software updates to upgrade your firewall, and then deactivate the license on the firewall before you reset the firewall to factory defaults and create the custom AMI. If you do not deactivate the license, you lose the license that you applied on this firewall instance.
- Launch the VM-Series firewall from the Marketplace.See 3
- Configure the administrative password on the firewall.See 4
- (Only for BYOL) Activate the license.
- Install software updates and upgrade the firewall to the PAN-OS version you plan to use.
- (Only for BYOL) Deactivate the license.
- Perform a factory reset.A factory reset allows you to remove any configuration on the firewall for the custom AMI.
- Access the firewall CLI.
- Access the Maintenance Recovery Tool (MRT) to reboot
the firewall in to maintenance mode.Use the CLI command debug system maintenance-mode and enter y to confirm. It will take approximately 2 to 3 minutes for the firewall to boot to the MRT. During this time, your SSH session will disconnect.
- Log in as ec2-user and select the SSH public key that you used when you launched the firewall.
- Select ContinueFactory Reset to access the
menu.Do not reboot the firewall, otherwise you will need to start over again.
- Create the custom AMI.
- Log in to the AWS Console and select the EC2 Dashboard.
- Stop the VM-Series firewall.
- Select the VM-Series firewall instance, and click ImageCreate Image.
- Enter a custom image name, and click Create
Image.The disk space of 60GB is the minimum requirement.
- Verify that the custom AMI is created and has the
correct product code.
- On the EC2 Dashboard, select AMI.
- Select the AMI that you just created. Depending on whether you selected an AMI with the BYOL, Bundle 1, or Bundle 2 licensing options, you should see one of the following Product Codes in the details:
- Bundle 1—6kxdw3bbmdeda3o6i1ggqt4km
- Bundle 2—806j2of0qy5osgjjixq9gqc6g
- Encrypt EBS Volume for the VM-Series Firewall on AWS.If you plan to use the custom AMI with EBS encryption for an Auto Scale VM-Series Firewalls with the Amazon ELB Service deployment, you must use the default master key for your AWS account.
Deploy the VM-Series Firewall on AWS
Deploy the VM-Series Firewall on AWS Obtain the AMI Planning Worksheet for the VM-Series in the AWS VPC Launch the VM-Series Firewall on AWS Create ...
Encrypt EBS Volume for the VM-Series Firewall on AWS
Use the AWS KMS to encrypt data stored on the EBS volume of the VM-Series firewall on AWS. ...
VM-Series Firewall on AWS China
VM-Series Firewall on AWS China The VM-Series firewall is available as a shared AMI with the BYOL option on AWS China (Beijing) region. You must ...
Stack Update with VM-Series Auto Scaling Template for AWS (v2.0)
Stack Update with VM-Series Auto Scaling Template for AWS (v2.0) A stack update allows you to modify the resources that the VM-Series Auto Scaling template—firewall-v2.0.template—deploys. ...
AMI on AWS GovCloud
AMI on AWS GovCloud The Bring Your Own License (BYOL) model and the usage-based model of the VM-Series firewall is available on the AWS GovCloud ...
Images for PAN-OS 8.1
Images for PAN-OS 8.1 List of PAN-OS 8.1 AMI IDs for the different licensing options: BYOL, and PAYG bundle 1 and 2, for use with ...
Obtain the AMI
Obtain the AMI Get the Amazon Machine Image for the public AWS cloud and the AWS GovCloud from the respective Marketplace. AMI in the Public ...
Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1)
Plan the VM-Series Auto Scaling Template for AWS (v2.0 and v2.1) The items in this checklist are actions and choices you must make for implementing ...
Create a new Bootstrap File from Scratch
Create a new Bootstrap File from Scratch Launch a new VM-Series firewall on AWS using the AMI for the PAN-OS version (8.0 or 8.1), without ...