Simplified Onboarding of VM-Series Firewall on AWS
Table of Contents
Simplified Onboarding of VM-Series Firewall on AWS
The simplified onboarding flow streamlines the deployment and initial configuration
of VM-Series firewalls in AWS.
The simplified onboarding flow streamlines the deployment and initial
configuration of VM-Series firewalls in AWS. It supports east-west deployment (with
transit gateway), centralized egress, and distributed inbound deployment of VM-Series
firewall.
Prerequisites
For simplified onboarding of VM-Series firewall on AWS, ensure to use the
following PAN-OS versions and license types:
Supported PAN-OS Version
- PAN-OS version 10.2 or above
Supported License Types
- PAYG (Pay-as-you-go)
Simplified Onboarding of VM-Series in Security VPC using CFT
- Login to your AWS CloudFormation console.
- On the Stacks page, select Create stack.
- Select choose an existing template option.
![]()
- In the Specify template section, you can select Amazon S3 URL or Upload a template file as your template source option.If you select Amazon S3 URL, provide a URL to the template file in an S3 bucket.If you select Upload a template file, upload a template file from your local directory.
- Click Next.
- In the Specify stack details page, enter the Stack Name.
- In the Parameters section, enter values for the parameters that were defined in the template.
- Enter your Security VPC CIDR.
- Enter the number of Desired Firewalls.
- Select the Firewall Instance Type and size for the autoscaled VM-Series firewall.
- Enter your firewall AMI ID.
- Enter your Amazon EC2 Key pair in the Key Name field.
![]()
- Enter the number and list of Availability Zones.
- In the Transit Gateways section, select True if you want CFT to create a new transit gateway.
![]()
Select False if you already have a transit gateway and enter the existing transit gateway ID.![]()
If you select Yes for Panorama managed devices, then enter the following bootstrap parameter values:- Enter the Panorama IP address for firewalls to connect.
- Enter the secondary Panorama IP address (if HA enabled), for firewalls to connect.
- Enter the Panorama Device Group name.
- Enter the Template Stack name.
- Enter the Panorama Log Collector group name.
- Enter the VM Auth Key.
- Enter the Certificate PIN ID.
- Enter the Certificate PIN value for installing device certificates on VMs.
- Enter the Additional bootstrap parameters as key value pairs.
If you select No for Panorama Managed Devices, you can skip the above Bootstrap Info section. - Click Next.
- In the Configure Stack Options page, select your optional IAM role and stack failure options.
![]()
If your template contains IAM resources, for Capabilities, select I acknowledge that AWS CloudFormation might create IAM resources with custom names. - Click Next.
- Review the details of your stack and click Submit.AWS CloudFormation will then create all the resources defined in your template.You can view the Stack details on CloudFormation > Stacks page, and then understand the events updated, parameters, and resources are being created, updated, or deleted.
Simplified Onboarding Bootstrap Parameters
Following are the bootstrap parameter for simplified onboarding on AWS:
plugin-op-commands=simplified-onboarding:enable,dep-plan:combined,dep-arch:two-arm,aws-gwlb-inspect:enable,aws-gwlb-overlay-routing:enable op-command-modes=mgmt-interface-swap
For more information, see Bootstrap the VM-Series firewall on AWS.
Public IP Address Management
The IP addresses for MGMT and untrust interfaces are automatically
allocated and assigned when deployed using Simplified Onboarding.