Bootstrap Configuration Example for VM-Series in AWS
Using the bootstrap option significantly simplifies VM-Series initial configuration setup. In this document, we provide a bootstrap example to set up an "Allow All" and Egress NAT policy for the VM-Series to validate that traffic is sent to the VM-Series for VPC-to-VPC traffic inspection. This example does not use Panorama.
| The Panorama PAN-OS version should be the same or higher than the firewall VMs when they are added to the Panorama, such as 9.0.3.xfr for both Panorama and VMs. Refer to PAN-OS 9.0.3 XFR for VM-Series for more information. |
For a manual setup, follow the manual setup example.
After you enable bootstrap configuration for your AWS Palo Alto VM-Series firewall, you can select either AWS S3 Bucket or User Data. If you select AWS S3 Bucket, you must have already completed the following sections in your AWS Console:
Ready to Go
Now your firewall instance is ready to receive packets.
The next step is to specify which Network Domain needs packet inspection by defining a connection policy that connects to the firewall domain. This is done by Configuring Allow Outbound Policies (see the section above) in the Firewall Network workflow.
For example, deploy Spoke-1 VPC in Network_Domain_1 and Spoke-2 VPC in Network_Domain_2. Build a connection policy between the two domains. Build a connection between Network_Domain_2 to Firewall Domain.
Launch one instance in Spoke-1 VPC and Spoke-2 VPC. From one instance, ping the other instance. The ping should go through.
Viewing the Traffic Log
You can view if traffic is forwarded to the firewall instance by logging in to the VM-Series console.
-
Click Monitor.
-
Start pinging packets from one Spoke VPC to another Spoke VPC where one or both Network Domains are connected to the Firewall Network Domain.