Bootstrapping PANs using Aviatrix

This article is a follow up on my previous blog Deploying an Aviatrix FireNet on GCP with PANs where I enabled a Firenet for east-west inspection.

In this document I’m going to deploy an extra instance of a PAN firewall, configure it using the bootstrap option and attach to the Firenet transit.

Using bootstrap option significantly simplifies VM-Series initial configuration setup.

Bucket

Create a bucket to store the bootstrap files. The top-level directory structure must have the following directories:

/config
/content
/software
/license
/plugins

You can leave a folder empty but you must have them created.

The config directory contains the configuration files and the content/ contains the application and threat updates, WildFire updates, and the BrightCloud URL filtering database for the valid subscriptions on the VM-Series firewall.

The software folder contains the software images required to upgrade a newly provisioned VM-Series firewall to the desired PAN-OS version for your network. You must include all intermediate software versions between the current version and the final PAN-OS software version to which you want to upgrade the VM-Series firewall.

The license folder contains the license keys or auth codes for the licenses and subscriptions that you intend to activate on the firewalls.

The plugins folder is optional.

Config Files

  • init-cfg.txt: The init-cfg.txt file is required to bootstrap the VM- Series firewall. It provides the basic information the firewall needs to connect to your network. Sample can be found here:
https://gist.github.com/rtrentin73/102f7ed3d19f196242f8632a88da00d3
  • A detailed explanation of all supported fields can be found at:

https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/bootstrap-the-vm-series-firewall/create-the-init-cfgtxt-file/init-cfgtxt-file-components.html

  • bootstrap.xml: I’m going to use the configuration from the firewall used on the previous post. Once connected to the PAN GUI, I go to Device -> Setup -> Operations:

To export the running configuration, in the Configuration Management section, Export named configuration snapshot and select running config.xml from the drop-down.

Once the file is renamed to bootstrap.xml, I upload to the gcp bucket:

  • Sample can be found here:
https://gist.github.com/rtrentin73/a1f9c1fc73a4f3982476da1e11ff0324

Service Account

Besides the permissions required by the Aviatrix controller to operate properly, the following permissions is required for the bootstrap:

  • storage.buckets.get

Testing

From Aviatrix Firewall Network Setup menu, I launch a new instance but this time I checked the Advanced box and provided the bucket name:

The Attach option inserts the firewall in the data path to receive packet. It should be used carefully. You can also attach the firewall instance later at Firewall Network -> Advanced page.

Once the firewall is deployed, we can access it using the username and password from the instance we got the running-config. The configuration should be the same. For example, security policies:

Vendor Integration

If Aviatrix Firewall Integration is in use, we need to register the second instance:

After the integration is done, I have two instances running:

Local Configuration

Because we have an ILB providing HA to the solution and a GCP ILB demands DNAT on the PAN for the health checks to work, we have to adapt the DNAT to point to the IP address of the second firewall:

Once the DNAT policy is changed to the new firewall, we can see its status changes to healthy under Group Members:

References

https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/bootstrap-the-vm-series-firewall/create-the-init-cfgtxt-file/init-cfgtxt-file-components.html

https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/bootstrap-the-vm-series-firewall/create-the-init-cfgtxt-file/init-cfgtxt-file-components.html

2 thoughts on “Bootstrapping PANs using Aviatrix

Leave a Reply