Create a Custom VM-Series Firewall Image for Google Cloud Platform

Learn how to create a custom VM-Series image starting from a VM-Series image deployed from the Google Cloud Platform Marketplace.
Palo Alto Networks posts VM-Series firewall base image versions or minor versions with critical fixes (such as PAN-OS 8.1.4) on the Google Cloud Platform (GCP) Marketplace. These versions are available when you deploy a VM-Series firewall from the GCP Marketplace. However, you might need to deploy a PAN-OS version that is earlier or later than the Marketplace version.
To deploy a VM-Series firewall version that is not available on the Marketplace, you can create a custom VM-Series firewall image with a BYOL license.
The basic steps to create a custom firewall from a firewall instance are as follows:
  • Deploy a new firewall from the GCP Marketplace.
  • Activate your firewall license, download your desired PAN-OS software version to your firewall, use Dynamic Update to update your
    Applications and Threats
    content, and deactivate the firewall license.
  • Perform a private data reset from the GCP console.
  • Create a custom image from the upgraded firewall.
You can use your custom image for any new firewall deployment.
  1. Before you create your custom image, review your accounts, permissions, and keys, plan and create the networks for the VM-Series firewall deployment, and plan your network interfaces.
  2. You cannot create an image from an existing firewall. Starting from the GCP Marketplace ensures that your custom image can be licensed.
  3. (BYOL Only)
    Activate the license.
    1. Select
      and activate the VM-Series firewall license.
      The firewall reboots when licensing is complete.
    2. Log in to the firewall.
  4. Upgrade to your preferred PAN-OS version and install software updates.
    Software upgrade is only allowed from 8.1.x to 8.1.y and 9.0.x to 9.0.y.
    1. Select
      Check Now
      and download your required PAN-OS version.
      If you do not see the version you want, download it from the Palo Alto Networks customer support website as follows.
      1. Log in and select
        Software Updates
        From the
        Filter By
        list, choose PAN-OS for VM-Series.
      2. Select a PAN-OS version and download it to your local machine.
      3. On your VM-Series firewall,
        Select Device
        your PAN-OS version from your local machine to your device.
    2. Install your chosen version.
    3. Select
      Dynamic Updates
      and upgrade your
      Applications and Threats
      and any other content you want to include in your base image.
  5. (BYOL Only)
    Manually deactivate the VM from the firewall.
    If you do not deactivate the license, you lose the license that you applied on your firewall instance.
    1. Select
      and under
      License Management
      , select
      Deactivate VM
    2. Select
      Complete Manually
      , and
      the license token.
    3. Return to the Palo Alto Networks customer support website, select
      VM-Series Auth-Codes
      Deactivate License(s)
      and upload the license token.
  6. Perform a private data reset.
    A private data reset removes all logs and restores the default configuration.
    The system disks are not erased, so the content updates from Step 4 are intact.
    1. Access the firewall CLI and keep it active.
    2. From the GCP console, delete SSH keys from your VM-Series firewall.
      1. Select
        Compute Engine
        VM Instances
        and select your instance name.
      2. In the
        view, select
      3. Under
        SSH Keys
        , click the
        Show and edit
        link and click
        to remove any SSH keys.
      4. Save
        your changes.
    3. In the CLI, request a private data reset.
      request system private-data-reset
      to confirm.
      The firewall reboots to initialize the default configuration.
    4. From the GCP console, select
      Compute Engine
      VM instances
      the firewall.
  7. Create a custom image in the GCP console.
    1. Select
      Compute Engine
      Create Image
    2. Name your image and select the
      Google-managed key
      (see Google-managed encryption keys).
    3. Select
      for the Source, and for the
      Source disk
      , select your stopped VM-Series firewall VM and click
    4. (Optional)
      When the image is complete, click the
      Equivalent REST
      link, and from the
      REST response
      , copy the selfLink. This is the URI link for any type of CI/CD pipeline that you require.
      For example:
      Using this link points directly to your image so you can use it in a template or a script. For example:

Recommended For You