Choose a Bootstrap Method

Choose a basic configuration or a complete configuration bootstrap method.
You can bootstrap the VM-Series firewall with a or a .
configuration uses the bootstrap package and includes everything you need to fully configure the firewall at boot up. This includes configuration parameters (in init-cfg.txt), content updates, and software versions. A complete configuration can include both init-cfg.txt and bootstrap.xml files.
Configuration Method
Configuration Location
Specify complete configuration information in /config/bootstrap.xml in the bootstrap package.
Public cloud storage
AWS S3 bucket, Azure storage account, or Google storage bucket.
  • Full bootstrap package in the storage bucket.
  • Requires cloud storage and an IAM role to access it.
configuration is a minimal configuration that enables you to launch, license, and register the VM-Series firewall. The basic configuration does not support plugins, content, software images, or bootstrap.xml.
After you boot the firewall you can connect with Panorama to complete the configuration, or log in to the firewall to update content and software manually. The following table briefly contrasts three ways you can store and access a basic configuration:
Configuration Method
Configuration Location
Store basic configuration parameters as key-value pairs in config/init-cfg.txt in the bootstrap package.
Public cloud storage
  • AWS S3 bucket
  • Azure storage account
  • GCP storage bucket
  • Requires cloud storage and an IAM role to access it. The Panorama admin must also be granted access to the bucket.
User data
Enter configuration parameters into the public cloud user interface as key-value pairs.
VM Instance
  • AWS: User data
  • Azure: Custom data
  • GCP: GCP metadata
  • The initial configuration parameters are stored with the VM.
  • No need for separate storage and the associated IAM role.
AWS Secret Manager
Enter configuration parameters into the AWS secret manager as key-value pairs.
Encrypted in AWS Secret Manager.
  • You need an IAM role to create a secret. Others can be granted permission to get the secret.
  • To get the secret, pass the secret name using user data.
See the VM-Series firewall bootstrap workflow to compare the workflow for the basic and complete configurations.

Basic Configuration

A basic configuration includes the initial configuration and licenses. You can use the bootstrap package to pass the key-value pairs for the initial configuration, or you can enter the bootstrap parameters key-value pairs as user data.
If you do not use Panorama, you can use the initial configuration to bootstrap the firewall, then log in and complete the configuration manually. If you use Panorama, your initial configuration must include bootstrap parameters for the IP addresses for your Panorama servers and the VM Auth Key so the bootstrapped firewall can register with Panorama and complete the full configuration.

Add a Basic Configuration to the Bootstrap Package

The initial configuration is a minimal configuration that enables you to launch, license, and register the VM-Series firewall, and connect with Panorama, if applicable. You deliver the configuration (init-cfg.txt) in the bootstrap package.

Enter a Basic Configuration as User Data (AWS, Azure, or GCP)

When you deploy the VM-Series firewall from the AWS, Azure, or GCP user interface, you can enter the configuration parameters as user data during the launch/deployment process. If you have sufficient permissions to deploy a firewall from your cloud account, and access Panorama (if you are using it), you can skip creating a bootstrap package, creating configuration files, and other bootstrap tasks related to cloud storage (a storage bucket, IAM roles, or service accounts that grant external access to storage).
Configuration parameters include the values in init-cfg.txt File Components, and the following additional values only available as user data:
  • authcodes
    —The authcode use to register the VM-Series firewall. For example,
  • mgmt-interface-swap
    —Used to swap the management interface when the VM-Series firewall is behind a load balancer in an AWS or GCP deployment. For example,
You can enter configuration parameters as key-value pairs directly into the AWS or GCP user interface. You can also define the configuration from a text file or a cloud-native template, such as an AWS Cloud Formation template, Azure ARM template, a GCP YAML file, or a Terraform template.
Each cloud has a different term for user data, and uses different separators between bootstrap parameters.
  • AWS User Data
    —Use a semicolon or newline (\n). If a parameter has more than one option, separate options with a comma. For example:
    type=dhcp-client; op-command-modes=mgmt-interface-swap,jumbo-frame; vm-series-auto-registration-pin-id=abcdefgh1234****; vm-series-auto-registration-pin-value=zyxwvut-0987****
    type=dhcp-client op-command-modes=mgmt-interface-swap,jumbo-frame vm-series-auto-registration-pin-id=abcdefgh1234**** vm-series-auto-registration-pin-value=zyxwvut-0987****
    If you choose to save your basic configuration in the AWS Secrets Manager, enter the secret name as a key-value pair in the user data field. For example:
  • Azure Custom Data
    —Use a semicolon. If a parameter has more than one option, separate options with a comma. For example:
    type=dhcp-client; op-command-modes=jumbo-frame; vm-series-auto-registration-pin-id=abcdefgh1234****; vm-series-auto-registration-pin-value=zyxwvut-0987****
  • GCP Custom Metadata
    —In a file, such as a YAML file or Terraform template, use a newline (\n) for each parameter, and if a parameter has multiple options, use commas to separate them. For example:
    type=dhcp-client op-command-modes=mgmt-interface-swap,jumbo-frame vm-series-auto-registration-pin-id=abcdefgh1234**** vm-series-auto-registration-pin-value=zyxwvut-0987****

Save a Basic Configuration in the AWS Secrets Manager

You can use the AWS Secrets Manager to store the basic configuration as a secret, and then use User Data to bootstrap a VM with the parameters stored in the secret. To perform this task you need permission to use the Secrets Manager.
  1. Log in to the AWS console and under Security, Identity and Compliance, select
    Secrets Manager
    and select
    Store a new secret
  2. Select
    other type of secrets
    1. Enter the key-value pairs to define the basic configuration.
      does not work as a key-value pair in an AWS secret. It must be entered as:
    2. Select the DefaultEncryptionKey, and click
  3. Supply the secret name and description.
    1. Edit the resource permissions to securely access secrets across AWS accounts. For example:
      { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::sn-bootstrap" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::sn-bootstrap/*" }, { "Effect": "Allow", "Action": "secretsmanager:GetSecretValue", "Resource": "arn:aws:secretsmanager:us-east-1:688382******: secret:My_bootstrap" } ] }
    2. (Optional)
      You can examine the secret from the command line (if you have permission). For example:
      # aws secretsmanager get-secret-value --secret-id My_bootstrap { "ARN": "arn:aws:secretsmanager:us-east-1:688382******: secret:My_bootstrap", "Name": "My_bootstrap", "VersionId": "01b6853d-e187-479f-***********", "SecretString": "{\"mgmt-interface-swap\":\"enable\", \"vm-auth-key\":\"AAA\",\"panorama-server\":\"10.*.*.1\", \"panorama-server-2\":\"10.*.*.2\",\"dgname\":\"dg-s0000h\", \"tplname\":\"tpl-santosh\",\"license-authcode\":\"AAAA\"}", "VersionStages": [ "AWSCURRENT" ], "CreatedDate": 1581018411.847 }

Complete Configuration

A complete configuration ensures the firewall is fully configured on boot up. The bootstrap.xml file includes the initial configuration, licenses, software, content, and a version of the VM-Series plugin. You can create
manually or you can export an existing configuration, as described in Create the bootstrap.xml File.

Recommended For You