https://live.paloaltonetworks.com/t5/general-articles/identify-and-deploy-specific-pan-os-versions-of-vm-series-on/ta-p/560078 <DIV class="lia-message-template-content-zone"> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="LIVEcommunity_PAN-OS-Versions_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54126i60799709FEC66043/image-size/large?v=v2&amp;px=999" role="button" title="LIVEcommunity_PAN-OS-Versions_palo-alto-networks.jpg" alt="LIVEcommunity_PAN-OS-Versions_palo-alto-networks.jpg" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>There are a fair few ways to deploy the Palo Alto Networks <STRONG><FONT color="#FF6600">VM-Series Next Generation Firewall</FONT> </STRONG>appliances on <STRONG><FONT color="#FF6600">Google Cloud</FONT></STRONG>, the recommended method to do the same is described in detail on the Palo Alto Networks official documentation </SPAN><A href="https://docs.paloaltonetworks.com/vm-series/11-0/vm-series-deployment/set-up-the-vm-series-firewall-on-google-cloud-platform/create-a-custom-vm-series-firewall-image-for-google-cloud-platform" target="_blank" rel="noopener"><SPAN>here</SPAN></A><SPAN>. There are a couple of restrictions with the official documentation, which are there only to ensure that only the qualified stable versions of VM-Series can be deployed, over which the user can upgrade to the desired version.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>This article will provide an alternative method to identify exact versions of the VM-Series NGFW directly without having to either upgrade or create a new base image. In this article, we will look at how to identify the VM-Series versions based on the PAN-OS version and licensing model, how to deploy a specific version of VM-Series and then also how we can deploy the same through automation.</SPAN></P> <P>&nbsp;</P> <H2><FONT color="#FF6600"><STRONG><FONT size="5">Finding Your Desired VM-Series Image Version</FONT></STRONG></FONT></H2> <P>&nbsp;</P> <P><SPAN>All the official VM-Series images on Google Cloud can be found in the public Palo Alto Networks project, “<EM>paloaltonetworksgcp-public</EM>”. We can list the images by running the below command;</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="python">gcloud compute images list --project paloaltonetworksgcp-public --filter "name=vmseries-flex-"</LI-CODE> <P>&nbsp;</P> <P><SPAN>Now, this command will list all the public images that have “vmseries”in their names, and that is a lot of images. So in order to identify what we are looking for, let us break down one of the image names, “vmseries-flex-byol-1022h2”, by splitting the name on the ‘-’;</SPAN></P> <UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>vmseries</STRONG><SPAN><BR /></SPAN><SPAN>This is, of course, the prefix that denotes the appliance itself.</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>flex</STRONG><SPAN><BR /></SPAN><SPAN>This denotes the images that were created after Palo Alto Networks migrated to the Flex Licensing model. Any VM-Series image that does not have “flex” on it is now rendered deprecated and not supported. Please read the </SPAN><A href="https://docs.paloaltonetworks.com/vm-series/11-0/vm-series-deployment/license-the-vm-series-firewall/software-ngfw" target="_blank" rel="noopener"><SPAN>Software NGFW Credits official documentation</SPAN></A><SPAN> for more details.&nbsp;</SPAN></LI> <LI style="font-weight: 400;" aria-level="1"><STRONG>byol</STRONG><SPAN><BR /></SPAN><SPAN>This denotes the type of licensing for the VM-Series appliance. This can have 4 values;</SPAN></LI> <UL> <LI style="font-weight: 400;" aria-level="2"><SPAN>byol – This denotes the </SPAN><A href="https://console.cloud.google.com/marketplace/product/paloaltonetworksgcp-public/vmseries-flex-byol" target="_blank" rel="noopener"><SPAN>BYOL</SPAN></A><SPAN> (Bring Your Own License) type of licensing, one where you will need to have the Software NGFW Flex Credits to be able to license the firewalls deployed with this image.</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>bundle1 – </SPAN><A href="https://console.cloud.google.com/marketplace/product/paloaltonetworksgcp-public/vmseries-flex-bundle1" target="_blank" rel="noopener"><SPAN>Bundle1</SPAN></A><SPAN> includes the standard NGFW PAYG license, subscription to Threat Prevention and Premium Support</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>bundle2 – </SPAN><A href="https://console.cloud.google.com/marketplace/product/paloaltonetworksgcp-public/vmseries-flex-bundle2" target="_blank" rel="noopener"><SPAN>Bundle2</SPAN></A><SPAN> includes the standard NGFW PAYG license, subscriptions to Threat Prevention, DNS Security, WildFire, URL Filtering (PAN-DB), GlobalProtect and Premium Support</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>bundle3 – </SPAN><A href="https://console.cloud.google.com/marketplace/product/paloaltonetworksgcp-public/vmseries-payg-bundle3" target="_blank" rel="noopener"><SPAN>Bundle3</SPAN></A><SPAN> includes the standard NGFW PAYG license, subscriptions to Advanced Threat Prevention, WildFire, Advanced URL Filtering (PAN-DB), GlobalProtect and Premium Support.</SPAN></LI> </UL> <LI style="font-weight: 400;" aria-level="1"><STRONG>1022h2</STRONG><STRONG><BR /></STRONG><SPAN>This is the PAN-OS version. This version specifically is the “10.2.2-h2” PAN-OS version. Some more examples of the versions are;</SPAN></LI> <UL> <LI style="font-weight: 400;" aria-level="2"><SPAN>1100 – 11.0.0</SPAN></LI> <LI style="font-weight: 400;" aria-level="2"><SPAN>9114h4 – 9.1.14-h4</SPAN></LI> </UL> </UL> <P>&nbsp;</P> <P><SPAN>So, now if I want to find the BYOL image for VM-Series version 11.0.2, I would use the command as shown below;</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="python">shv@cloudshell:~ (tme-demo-sandbox)$ gcloud compute images list --project paloaltonetworksgcp-public --sort-by "~creationTimestamp" --filter "name='vmseries-flex-byol-1102'" --format "value(NAME)" vmseries-flex-byol-1102</LI-CODE> <P>&nbsp;</P> <P><SPAN>You could list all the images for a specific version as well.</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="python">shv@cloudshell:~ (tme-demo-sandbox)$ gcloud compute images list --project paloaltonetworksgcp-public --sort-by "~creationTimestamp" --filter "name~'vmseries-flex-.*-1102'" --format "value(NAME)" vmseries-flex-bundle3-1102 vmseries-flex-bundle2-1102 vmseries-flex-bundle1-1102 vmseries-flex-byol-1102</LI-CODE> <P><SPAN>&nbsp;</SPAN></P> <H2><STRONG><FONT color="#FF6600">Deploying VM-Series With Your Desired PAN-OS Version</FONT></STRONG></H2> <P>&nbsp;</P> <P><SPAN>Now that we can identify the right image, all the remains to be done is deploy. You can do that through gcloud CLI, for example,</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="python">gcloud compute images create vmseries-flex-byol-1102 \ -–image-project=paloaltonetworksgcp-public \ --image=vmseries-flex-byol-1022 \ --zone=us-central1-a --network-interface \ --network=mgmt-vpc,--subnet=mgmt-subnet, address=’’ \ … --network-interface \ --network=untrust-vpc,--subnet=untrust-subnet, address=’’ \ … --network-interface \ --network=trust-vpc,--subnet=trust-subnet, address=’’ \ …</LI-CODE> <P>&nbsp;</P> <P>However, If you would like to deploy VM-Series using the GCP console, then you would first need to copy the image to your project, so that it can then be used to deploy the VM-Series instance. You can copy the image using the below gcloud CLI.</P> <P>&nbsp;</P> <LI-CODE lang="python">gcloud compute images create vmseries-flex-byol-1102 --project=my-google-project --source-image=vmseries-flex-byol-1022 --source-image-project=paloaltonetworksgcp-public</LI-CODE> <P>&nbsp;</P> <H2><STRONG><FONT color="#FF6600">Deploy VM-Series Through Terraform Automation</FONT></STRONG></H2> <P>&nbsp;</P> <P><SPAN>There are two ways to identify the image to use as the source for the VM-Series compute instance to be deployed.</SPAN></P> <P>&nbsp;</P> <H3><STRONG>Using Data Source</STRONG></H3> <P><SPAN>You could fetch the image details using the “google_compute_image” data source in Terraform.</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="python">data "google_compute_image" "vmseries" { name = “vmseries-flex-byol-1102” project = "paloaltonetworksgcp-public" }</LI-CODE> <P>&nbsp;</P> <P><SPAN>Then use the data source to provide the image URI to the “boot_disk” section of “google_compute_instance” resource block.</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="python">resource "google_compute_instance" "this" { … # All the other compute instance configuration boot_disk { initialize_params { image = data.google_compute_image.vmseries[0].self_link type = var.disk_type } } }</LI-CODE> <P>&nbsp;</P> <H3><STRONG>Using Image URI</STRONG></H3> <P><SPAN>You could also fetch the image URI directly using the gcloud command as shown below.</SPAN></P> <P><SPAN>gcloud compute images list --project paloaltonetworksgcp-public --filter "name='vmseries-flex-byol-1102'" --uri</SPAN></P> <P><SPAN>You will get the whole URI link as shown below.</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="python">shv@cloudshell:~ (tme-demo-sandbox)$ gcloud compute images list --project paloaltonetworksgcp-public --filter "name='vmseries-flex-byol-1102'" --uri https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-flex-byol-1102</LI-CODE> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>This URI can then be used directly for the value for “image” under “boot_disk” params as shown below.</SPAN></P> <P>&nbsp;</P> <LI-CODE lang="python">resource "google_compute_instance" "this" { … # All the other compute instance configuration boot_disk { initialize_params { image = “https://www.googleapis.com/compute/v1/projects/paloaltonetworksgcp-public/global/images/vmseries-flex-byol-1102” type = var.disk_type } } }</LI-CODE> <P>&nbsp;</P> <H2><STRONG><FONT size="5" color="#FF6600">Conclusion</FONT></STRONG></H2> <P>&nbsp;</P> <P><SPAN>In this document, we saw how you can identify the exact images for the VM-Series version that you need from the public Palo Alto Networks GCP Image repository. We also saw how we could then use that information to deploy VM-Series on your Google Cloud environments. I hope that this was informative for you, Thank you for reading!&nbsp;</SPAN></P> </DIV> Wed, 04 Oct 2023 16:54:18 GMT shv 2023-10-04T16:54:18Z https://live.paloaltonetworks.com/t5/general-articles/identify-and-deploy-specific-pan-os-versions-of-vm-series-on/ta-p/560078 <P><SPAN>In this article, we will look at how to identify the VM-Series versions based on the PAN-OS version and licensing model, how to deploy a specific version of VM-Series and then also how we can deploy the same through automation.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LIVEcommunity_PAN-OS-Versions_palo-alto-networks.jpg" style="width: 960px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54127i818CE878B1332215/image-size/large?v=v2&amp;px=999" role="button" title="LIVEcommunity_PAN-OS-Versions_palo-alto-networks.jpg" alt="LIVEcommunity_PAN-OS-Versions_palo-alto-networks.jpg" /></span></P> Wed, 04 Oct 2023 16:54:18 GMT https://live.paloaltonetworks.com/t5/general-articles/identify-and-deploy-specific-pan-os-versions-of-vm-series-on/ta-p/560078 shv 2023-10-04T16:54:18Z https://live.paloaltonetworks.com/t5/general-articles/identify-and-deploy-specific-pan-os-versions-of-vm-series-on/tac-p/561181#M676 <P>Very helpful guide, really cool!</P> Wed, 11 Oct 2023 02:24:22 GMT https://live.paloaltonetworks.com/t5/general-articles/identify-and-deploy-specific-pan-os-versions-of-vm-series-on/tac-p/561181#M676 Danielma911 2023-10-11T02:24:22Z