This article is a follow up on my previous blog Deploying an Aviatrix FireNet on GCP with PANs where I enabled a Firenet for east-west inspection.
In this document I’m going to deploy an extra instance of a PAN firewall, configure it using the bootstrap option and attach to the Firenet transit.
Using bootstrap option significantly simplifies VM-Series initial configuration setup.
Create a bucket to store the bootstrap files. The top-level directory structure must have the following directories:
You can leave a folder empty but you must have them created.
The config directory contains the configuration files and the content/ contains the application and threat updates, WildFire updates, and the BrightCloud URL filtering database for the valid subscriptions on the VM-Series firewall.
The software folder contains the software images required to upgrade a newly provisioned VM-Series firewall to the desired PAN-OS version for your network. You must include all intermediate software versions between the current version and the final PAN-OS software version to which you want to upgrade the VM-Series firewall.
The license folder contains the license keys or auth codes for the licenses and subscriptions that you intend to activate on the firewalls.
The plugins folder is optional.
- init-cfg.txt: The init-cfg.txt file is required to bootstrap the VM- Series firewall. It provides the basic information the firewall needs to connect to your network. Sample can be found here:
- A detailed explanation of all supported fields can be found at:
- bootstrap.xml: I’m going to use the configuration from the firewall used on the previous post. Once connected to the PAN GUI, I go to Device -> Setup -> Operations:
To export the running configuration, in the Configuration Management section, Export named configuration snapshot and select running config.xml from the drop-down.
Once the file is renamed to bootstrap.xml, I upload to the gcp bucket:
- Sample can be found here:
Besides the permissions required by the Aviatrix controller to operate properly, the following permissions is required for the bootstrap:
From Aviatrix Firewall Network Setup menu, I launch a new instance but this time I checked the Advanced box and provided the bucket name:
The Attach option inserts the firewall in the data path to receive packet. It should be used carefully. You can also attach the firewall instance later at Firewall Network -> Advanced page.
Once the firewall is deployed, we can access it using the username and password from the instance we got the running-config. The configuration should be the same. For example, security policies:
If Aviatrix Firewall Integration is in use, we need to register the second instance:
After the integration is done, I have two instances running:
Because we have an ILB providing HA to the solution and a GCP ILB demands DNAT on the PAN for the health checks to work, we have to adapt the DNAT to point to the IP address of the second firewall:
Once the DNAT policy is changed to the new firewall, we can see its status changes to healthy under Group Members: