From 46ade41a9a684953f2ac9826f5d439cb0928b6aa Mon Sep 17 00:00:00 2001 From: michalbil Date: Wed, 2 Oct 2024 03:39:26 +0200 Subject: [PATCH] feat(examples): Add sample configuration for SCM --- examples/multi_nic_common/README.md | 12 ++++++-- examples/multi_nic_common/example.tfvars | 28 +++++++++++++++---- .../README.md | 8 +++++- .../example.tfvars | 26 +++++++++++++++-- examples/vmseries_ha/README.md | 12 ++++++-- examples/vmseries_ha/example.tfvars | 28 +++++++++++++++---- examples/vpc_peering_common/README.md | 12 ++++++-- examples/vpc_peering_common/example.tfvars | 28 +++++++++++++++---- .../README.md | 8 ++++++ .../example.tfvars | 17 ++++++++++- .../README.md | 12 ++++++-- .../example.tfvars | 28 +++++++++++++++---- examples/vpc_peering_dedicated/README.md | 12 ++++++-- examples/vpc_peering_dedicated/example.tfvars | 28 +++++++++++++++---- .../README.md | 8 ++++++ .../example.tfvars | 17 ++++++++++- 16 files changed, 238 insertions(+), 46 deletions(-) diff --git a/examples/multi_nic_common/README.md b/examples/multi_nic_common/README.md index 2164287..fd1ba36 100644 --- a/examples/multi_nic_common/README.md +++ b/examples/multi_nic_common/README.md @@ -29,6 +29,14 @@ The following steps should be followed before deploying the Terraform code prese 1. Prepare [VM-Series licenses](https://support.paloaltonetworks.com/) 2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Usage 1. Access Google Cloud Shell or any other environment that has access to your GCP project @@ -59,10 +67,10 @@ terraform apply 4. Check the output plan and confirm the apply. -5. Check the successful application and outputs of the resulting infrastructure: +5. Check the successful application and outputs of the resulting infrastructure (number of resources can vary based on how many instances are defined in tfvars): ``` -Apply complete! Resources: 77 added, 0 changed, 0 destroyed. (Number of resources can vary based on how many instances you push through tfvars) +Apply complete! Resources: 77 added, 0 changed, 0 destroyed. Outputs: diff --git a/examples/multi_nic_common/example.tfvars b/examples/multi_nic_common/example.tfvars index d551ddc..3392ac0 100644 --- a/examples/multi_nic_common/example.tfvars +++ b/examples/multi_nic_common/example.tfvars @@ -176,8 +176,24 @@ vmseries_common = { min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" mgmt-interface-swap = "enable" + + # Panorama based bootstrap. + # panorama-server = "1.1.1.1" + # panorama-server-2 = "2.2.2.2" + # tplname = "example-template" + # dgname = "example-device-group" + # vm-auth-key = "example-123456789" + + # SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } } @@ -195,9 +211,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { spoke1_gcp_router_ip = "10.10.12.1" @@ -256,9 +272,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { spoke1_gcp_router_ip = "10.10.12.1" diff --git a/examples/standalone_vmseries_with_metadata_bootstrap/README.md b/examples/standalone_vmseries_with_metadata_bootstrap/README.md index 0aa3452..d6b1060 100644 --- a/examples/standalone_vmseries_with_metadata_bootstrap/README.md +++ b/examples/standalone_vmseries_with_metadata_bootstrap/README.md @@ -5,7 +5,13 @@ show_in_hub: false A Terraform module example for deploying a VM-Series NGFW in GCP using the [metadata](https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/bootstrap-the-vm-series-firewall/choose-a-bootstrap-method#idf6412176-e973-488e-9d7a-c568fe1e33a9) bootstrap method. -This example can be used to familarize oneself with both the VM-Series NGFW and Terraform - it creates a single instance of virtualized firewall in a Security VPC with a management-only interface and lacks any traffic inspection. +This example can be used to familarize oneself with both the VM-Series NGFW and Terraform - by default the deployment creates a single instance of virtualized firewall in a Security VPC with a management-only interface and lacks any traffic inspection. + +## Bootstrap + +By default, only basic bootstrap parameters are enabled. The example also provides sample settings that can be used to register the firewall to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections in `bootstrap_options` parameter. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. ## Reference diff --git a/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars b/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars index e0b93e6..d6ffaed 100644 --- a/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars +++ b/examples/standalone_vmseries_with_metadata_bootstrap/example.tfvars @@ -45,9 +45,29 @@ vmseries = { "https://www.googleapis.com/auth/monitoring.write", ] bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + type = "dhcp-client" + dhcp-accept-server-hostname = "yes" + dhcp-accept-server-domain = "yes" + dhcp-send-hostname = "yes" + dhcp-send-client-id = "yes" + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" + + # Panorama based bootstrap. + # panorama-server = "1.1.1.1" + # panorama-server-2 = "2.2.2.2" + # tplname = "example-template" + # dgname = "example-device-group" + # vm-auth-key = "example-123456789" + + # SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } named_ports = [ { diff --git a/examples/vmseries_ha/README.md b/examples/vmseries_ha/README.md index 9971342..61a26c2 100644 --- a/examples/vmseries_ha/README.md +++ b/examples/vmseries_ha/README.md @@ -55,6 +55,14 @@ The following steps should be followed before deploying the Terraform code prese 1. Prepare [VM-Series licenses](https://support.paloaltonetworks.com/) 2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Usage 1. Access Google Cloud Shell or any other environment that has access to your GCP project @@ -85,10 +93,10 @@ terraform apply 4. Check the output plan and confirm the apply. -5. Check the successful application and outputs of the resulting infrastructure: +5. Check the successful application and outputs of the resulting infrastructure (number of resources can vary based on how many instances are defined in tfvars): ``` -Apply complete! Resources: 96 added, 0 changed, 0 destroyed. (Number of resources can vary based on how many instances you push through tfvars) +Apply complete! Resources: 96 added, 0 changed, 0 destroyed. Outputs: diff --git a/examples/vmseries_ha/example.tfvars b/examples/vmseries_ha/example.tfvars index a083328..bee6dc8 100644 --- a/examples/vmseries_ha/example.tfvars +++ b/examples/vmseries_ha/example.tfvars @@ -239,8 +239,24 @@ vmseries_common = { min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" mgmt-interface-swap = "enable" + + # Panorama based bootstrap. + # panorama-server = "1.1.1.1" + # panorama-server-2 = "2.2.2.2" + # tplname = "example-template" + # dgname = "example-device-group" + # vm-auth-key = "example-123456789" + + # SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } } @@ -258,9 +274,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" @@ -321,9 +337,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" diff --git a/examples/vpc_peering_common/README.md b/examples/vpc_peering_common/README.md index ac20070..7c81ab0 100644 --- a/examples/vpc_peering_common/README.md +++ b/examples/vpc_peering_common/README.md @@ -53,6 +53,14 @@ The following steps should be followed before deploying the Terraform code prese 1. Prepare [VM-Series licenses](https://support.paloaltonetworks.com/) 2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Usage 1. Access Google Cloud Shell or any other environment that has access to your GCP project @@ -83,10 +91,10 @@ terraform apply 4. Check the output plan and confirm the apply. -5. Check the successful application and outputs of the resulting infrastructure: +5. Check the successful application and outputs of the resulting infrastructure (number of resources can vary based on how many instances are defined in tfvars): ``` -Apply complete! Resources: 96 added, 0 changed, 0 destroyed. (Number of resources can vary based on how many instances you push through tfvars) +Apply complete! Resources: 96 added, 0 changed, 0 destroyed. Outputs: diff --git a/examples/vpc_peering_common/example.tfvars b/examples/vpc_peering_common/example.tfvars index 49d9257..5d838a8 100644 --- a/examples/vpc_peering_common/example.tfvars +++ b/examples/vpc_peering_common/example.tfvars @@ -215,8 +215,24 @@ vmseries_common = { min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" mgmt-interface-swap = "enable" + + # Panorama based bootstrap. + # panorama-server = "1.1.1.1" + # panorama-server-2 = "2.2.2.2" + # tplname = "example-template" + # dgname = "example-device-group" + # vm-auth-key = "example-123456789" + + # SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } } @@ -234,9 +250,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" @@ -288,9 +304,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" diff --git a/examples/vpc_peering_common_with_autoscale/README.md b/examples/vpc_peering_common_with_autoscale/README.md index 9885f98..45a1a49 100644 --- a/examples/vpc_peering_common_with_autoscale/README.md +++ b/examples/vpc_peering_common_with_autoscale/README.md @@ -42,6 +42,14 @@ The following steps should be followed before deploying the Terraform code prese 1. Prepare [VM-Series licenses](https://support.paloaltonetworks.com/) 2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Usage 1. Access Google Cloud Shell or any other environment that has access to your GCP project diff --git a/examples/vpc_peering_common_with_autoscale/example.tfvars b/examples/vpc_peering_common_with_autoscale/example.tfvars index 2573804..7eb59d0 100644 --- a/examples/vpc_peering_common_with_autoscale/example.tfvars +++ b/examples/vpc_peering_common_with_autoscale/example.tfvars @@ -248,14 +248,29 @@ autoscale = { } } bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" dhcp-send-hostname = "yes" dhcp-send-client-id = "yes" dhcp-accept-server-hostname = "yes" dhcp-accept-server-domain = "yes" mgmt-interface-swap = "enable" - panorama-server = "1.1.1.1" ssh-keys = "admin:" # Replace this value with client data + + # Panorama based bootstrap. + panorama-server = "1.1.1.1" + panorama-server-2 = "2.2.2.2" + tplname = "example-template" + dgname = "example-device-group" + vm-auth-key = "example-123456789" + + # SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } network_interfaces = [ { diff --git a/examples/vpc_peering_common_with_network_tags/README.md b/examples/vpc_peering_common_with_network_tags/README.md index e4f81f1..9a27248 100644 --- a/examples/vpc_peering_common_with_network_tags/README.md +++ b/examples/vpc_peering_common_with_network_tags/README.md @@ -36,6 +36,14 @@ With default variable values the topology consists of : 2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Build 1. Access Google Cloud Shell or any other environment which has access to your GCP project @@ -65,10 +73,10 @@ terraform apply -var-file=example.tfvars 4. Check the output plan and confirm the apply. -5. Check the successful application and outputs of the resulting infrastructure: +5. Check the successful application and outputs of the resulting infrastructure (number of resources can vary based on how many instances are defined in tfvars): ``` -Apply complete! Resources: 115 added, 0 changed, 0 destroyed. (Number of resources can vary based on how many instances you push through tfvars) +Apply complete! Resources: 115 added, 0 changed, 0 destroyed. Outputs: diff --git a/examples/vpc_peering_common_with_network_tags/example.tfvars b/examples/vpc_peering_common_with_network_tags/example.tfvars index 4b95726..cd40d76 100644 --- a/examples/vpc_peering_common_with_network_tags/example.tfvars +++ b/examples/vpc_peering_common_with_network_tags/example.tfvars @@ -210,8 +210,24 @@ vmseries_common = { min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" mgmt-interface-swap = "enable" + + # Panorama based bootstrap. + # panorama-server = "1.1.1.1" + # panorama-server-2 = "2.2.2.2" + # tplname = "example-template" + # dgname = "example-device-group" + # vm-auth-key = "example-123456789" + + # SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } } @@ -230,9 +246,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" @@ -285,9 +301,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" diff --git a/examples/vpc_peering_dedicated/README.md b/examples/vpc_peering_dedicated/README.md index 0e1ebfb..891c21c 100644 --- a/examples/vpc_peering_dedicated/README.md +++ b/examples/vpc_peering_dedicated/README.md @@ -49,6 +49,14 @@ The following steps should be followed before deploying the Terraform code prese 1. Prepare [VM-Series licenses](https://support.paloaltonetworks.com/) 2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Build 1. Access Google Cloud Shell or any other environment which has access to your GCP project @@ -79,10 +87,10 @@ terraform apply -var-file=example.tfvars 4. Check the output plan and confirm the apply. -5. Check the successful application and outputs of the resulting infrastructure: +5. Check the successful application and outputs of the resulting infrastructure (number of resources can vary based on how many instances are defined in tfvars): ``` -Apply complete! Resources: 104 added, 0 changed, 0 destroyed. (Number of resources can vary based on how many instances you push through tfvars) +Apply complete! Resources: 104 added, 0 changed, 0 destroyed. Outputs: diff --git a/examples/vpc_peering_dedicated/example.tfvars b/examples/vpc_peering_dedicated/example.tfvars index 00e4d89..9b6bca6 100644 --- a/examples/vpc_peering_dedicated/example.tfvars +++ b/examples/vpc_peering_dedicated/example.tfvars @@ -215,8 +215,24 @@ vmseries_common = { min_cpu_platform = "Intel Cascade Lake" service_account_key = "sa-vmseries-01" bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" mgmt-interface-swap = "enable" + + # Panorama based bootstrap. + # panorama-server = "1.1.1.1" + # panorama-server-2 = "2.2.2.2" + # tplname = "example-template" + # dgname = "example-device-group" + # vm-auth-key = "example-123456789" + + # SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } } @@ -234,9 +250,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" @@ -286,9 +302,9 @@ vmseries = { ] bootstrap_bucket_key = "vmseries-bootstrap-bucket-01" bootstrap_options = { - panorama-server = "1.1.1.1" # Modify this value as per deployment requirements - dns-primary = "8.8.8.8" # Modify this value as per deployment requirements - dns-secondary = "8.8.4.4" # Modify this value as per deployment requirements + # TODO: Modify the values below as per deployment requirements + dns-primary = "8.8.8.8" + dns-secondary = "8.8.4.4" } bootstrap_template_map = { trust_gcp_router_ip = "10.10.12.1" diff --git a/examples/vpc_peering_dedicated_with_autoscale/README.md b/examples/vpc_peering_dedicated_with_autoscale/README.md index fa8ca03..3cc4e17 100644 --- a/examples/vpc_peering_dedicated_with_autoscale/README.md +++ b/examples/vpc_peering_dedicated_with_autoscale/README.md @@ -43,6 +43,14 @@ The following steps should be followed before deploying the Terraform code prese 1. Prepare [VM-Series licenses](https://support.paloaltonetworks.com/) 2. Configure the terraform [google provider](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/provider_reference#authentication-configuration) +## Bootstrap + +With default settings, firewall instances will get the initial configuration from generated `init-cfg.txt` and `bootstrap.xml` files placed in Cloud Storage. + +The `example.tfvars` file also contains commented out sample settings that can be used to register the firewalls to either Panorama or Strata Cloud Manager (SCM) and complete the configuration. To enable this, uncomment one of the sections and adjust `vmseries_common.bootstrap_options` and `vmseries..bootstrap_options` parameters accordingly. + +> SCM bootstrap is supported on PAN-OS version 11.0 and above. + ## Usage 1. Access Google Cloud Shell or any other environment that has access to your GCP project diff --git a/examples/vpc_peering_dedicated_with_autoscale/example.tfvars b/examples/vpc_peering_dedicated_with_autoscale/example.tfvars index 17708c0..dd946a6 100644 --- a/examples/vpc_peering_dedicated_with_autoscale/example.tfvars +++ b/examples/vpc_peering_dedicated_with_autoscale/example.tfvars @@ -248,14 +248,29 @@ autoscale = { } } bootstrap_options = { + # TODO: Modify the values below as per deployment requirements type = "dhcp-client" dhcp-send-hostname = "yes" dhcp-send-client-id = "yes" dhcp-accept-server-hostname = "yes" dhcp-accept-server-domain = "yes" mgmt-interface-swap = "enable" - panorama-server = "1.1.1.1" ssh-keys = "admin:" # Replace this value with client data + + # Panorama based bootstrap. + panorama-server = "1.1.1.1" + panorama-server-2 = "2.2.2.2" + tplname = "example-template" + dgname = "example-device-group" + vm-auth-key = "example-123456789" + + # SCM based bootstrap. + # panorama-server = "cloud" + # dgname = "example-scm-folder" + # vm-series-auto-registration-pin-id = "example-pin-id" + # vm-series-auto-registration-pin-value = "example-pin-value" + # authcode = "D123456" + # plugin-op-commands = "advance-routing:enable" } network_interfaces = [ {