Create a Custom Amazon Machine Image (AMI)

Learn how creating a custom Amazon Machine Image (AMI) can speed your deployment process.
A custom VM-Series AMI gives you the consistency and flexibility to deploy a VM-Series firewall with the PAN-OS version you want to use on your network instead of being restricted to using only an AMI that is published to the AWS public Marketplace or to the AWS GovCloud Marketplace. Using a custom AMI speeds up the process of deploying a firewall with the PAN-OS version of your choice because it reduces the time to provision the firewall with an AMI published on the AWS public or AWS GovCloud marketplace, and then performing software upgrades to get to the PAN-OS version you have qualified or want to use on your network. Additionally, you can then use the custom AMI in the Auto Scaling VM-Series Firewalls CloudFormation Templates or any other templates that you have created.
You can create a custom AMI with the BYOL, Bundle 1, or Bundle 2 licenses. The process of creating a custom AMI requires you to remove all configuration from the firewall and reset it to factory defaults, so in this workflow you’ll launch a new instance of the firewall from the AWS Marketplace instead of using an existing firewall that you have fully configured.
When creating a custom AMI with a BYOL version of the firewall, you must first activate the license on the firewall so that you can access and download PAN-OS software updates to upgrade your firewall, and then deactivate the license on the firewall before you reset the firewall to factory defaults and create the custom AMI. If you do not deactivate the license, you lose the license that you applied on this firewall instance.
  1. Launch the VM-Series firewall from the Marketplace.
    Follow steps 1 through 3 in Launch the VM-Series firewall. Do not continue on to configuring a new administrative password or committing any changes on the firewall.
  2. (Only for BYOL)
    Activate the license.
  3. Install software updates and upgrade the firewall to the PAN-OS version you plan to use.
  4. (Only for BYOL)
    Deactivate the license.
  5. Perform a private data reset.
    A private data reset removes all logs and restores the default configuration.
    The system disks are not erased, so the content updates from Step 3 are intact.
    1. Access the firewall CLI.
    2. Remove all logs and restore the default configuration.
      request system private-data-reset
      Enter
      y
      to confirm.
      The firewall reboots to initialize the default configuration.
  6. Create the custom AMI.
    1. Log in to the AWS Console and select the EC2 Dashboard.
    2. Stop
      the VM-Series firewall.
    3. Select the VM-Series firewall instance, and click
      Image
      Create Image
      .
      custom-ami.png
    4. Enter a custom image name, and click
      Create Image
      .
      The disk space of 60GB is the minimum requirement.
      custom-ami-create.png
    5. Verify that the custom AMI is created and has the correct product code.
      1. On the EC2 Dashboard, select
        AMI
        .
      2. Select the AMI that you just created. Depending on whether you selected an AMI with the BYOL, Bundle 1, or Bundle 2 licensing options, you should see one of the following
        Product Codes
        in the details:
        • BYOL—6njl1pau431dv1qxipg63mvah
        • Bundle 1—6kxdw3bbmdeda3o6i1ggqt4km
        • Bundle 2—806j2of0qy5osgjjixq9gqc6g
        custom-ami-verify-product-code.png
  7. If you plan to use the custom AMI with EBS encryption for an Auto Scaling VM-Series Firewalls with the Amazon ELB Service deployment, you must use the default master key for your AWS account.
  8. Configure the administrative password on the firewall.

Recommended For You