Secure Boot Support for VM-Series on GCP
Learn to enable secure boot support for VM-Series on GCP.
Secure Boot for VM-Series firewalls enhances your security posture by ensuring
the integrity of the boot process. Secure Boot verifies that only trusted software
components are loaded during startup, protecting against malicious code injection and
unauthorized modifications to the boot sequence. Secure Boot leverages the Unified
Extensible Firmware Interface (UEFI) and a chain of trust established through
cryptographic signatures. It prevents rootkits, bootkits, low-level attacks, ensures
boot integrity, and provides confidence in the authenticity of your VM-Series instances
across your cloud environment.
Prerequisites
PAN-OS Version 12.1 or later
Secure boot support is available only for fresh installations
of VM-Series with PAN-OS version 12.1 or later. Secure boot will not be
enabled for upgraded VM-Series models.
Make sure to enable UEFI boot mode when creating the GCP
instance.
Secure Boot is enabled by default on GCP when explicitly turned
on during instance creation.
If you want to downgrade your VM-Series firewall, you must
disable Secure Boot in the GCP Console and then restart the VM-instance
before you begin the downgrade.
Enable UEFI boot mode and Secure Boot Support for VM-Series on GCP
Perform the following steps to enable UEFI boot mode and secure boot
support for VM-Series on GCP:
From the GCP console, select Compute Engine > VM
instances.
In the Boot Disk Settings section, select an VM-Series image
that supports UEFI and Secure Boot.
Go to the Security and Access section, enable the following
options:
To verify the secure boot support on your VM-Series instance on GCP, SSH
into the Command Line Interface (CLI) of the VMSeries firewall and run the following
command:
show system secure-boot status
