When you install and configure the PaloAlto firewall, when the firewall boots up for the first time, it does the bootstrapping process. PaloAlto uses the settings defined in the bootstrap files, including the init-cfg.txt and bootstrap.xml under the config folder to configure the initial state of the firewall.
For example, during the bootstrap process, it will either use the license key specified in the bootstrap package or connect to your Panorama server using the ip-address provided in the config file to get the license setup.
Apart from the license details, the init-cfg.txt file also contains details about how to configure the interface on the firewalls. For example, this includes the ip-address, netmask, and default gateway for the management interface.
This tutorial provides examples of the init-cfg.txt file and details of different possible configuration parameters specified inside this file. The bootstrap package should have this configuration file under config folder: config/init-cfg.txt
The name of this configuration file can be one of the following:
- init-cfg.txt
- {UniqueID}-init-cfg.txt – The UniqueID here can either be the UUID or serial number of the firewall. For example: ABC1235001-init-cfg.txt
On a related note, if you are still running an older version of Palo Alto PAN-OS, refer to this: 5 Steps to Upgrade PaloAlto PAN-OS Firewall Software from CLI or Console
Sample init-cfg.txt Example file
The following is an example of the init-cfg.txt file that I used on one of the PaloAlto firewalls.
$ cat init-cfg.txt type=dhcp-client panorama-server=192.168.1.70 vm-auth-key=111222333444555 tplname=appTemplate dgname=appDevices op-command-modes=mgmt-interface-swap
In the above sample file:
- type – Since this is a required field, I tend to put this parameter at the top to organize the file easier. This indicates the type of management ip address. In this example, the management ip-address will be assigned dynamically by the DHCP.
- panorama-server – This is required only if you are using Panorama to manage all your firewalls in a central location. This is also required if you are using Panorama to manage licenses for all your firewalls. Specify the ip-address of the Panorama server in this parameter.
- vm-auth-key – This is the authentication key for Panorama. You should first generate this key in Panorama and use it on the firewall.
- tplname – Name of the panorama template stack to which this firewall should be added to.
- dgname – Name of the panorama device group to which this firewall should be added to.
- op-command-modes – If you are launching your firewall on AWS and is behind an AWS load balancer (ELB), you should specify mgmt-interface-swap as value to this parameter to swap the management interface.
Sample init-cfg.txt for Static IP Address
The following is an example of init-cfg.txt file when you want to use a static ip-address. You don’t have to use all the parameters mentioned here. Use only those that are relevant to your environment.
$ cat init-cfg.txt type=static ip-address=192.168.101.21 default-gateway=192.168.101.1 netmask=255.255.255.0 hostname=APP-FW-PRIMARY panorama-server=192.168.1.70 panorama-server-2=192.168.1.71 vm-auth-key=111222333444555 tplname=appTemplate dgname=appDevices dns-primary=192.168.100.5 dns-secondary=192.168.100.6 op-command-modes=jumbo-frame,mgmt-interface-swap dhcp-send-hostname=no dhcp-send-client-id=no dhcp-accept-server-hostname=no dhcp-accept-server-domain=no
Sample init-cfg.txt for DHCP IP Address
The following is an example of init-cfg.txt file if you want to use dynamic DHCP ip-address. You don’t have to use all the parameters mentioned here. Use only those that are relevant to your environment.
$ cat init-cfg.txt type=dhcp-client hostname=APP-FW-PRIMARY vm-auth-key=111222333444555 panorama-server=192.168.1.70 panorama-server-2=192.168.1.71 tplname=appTemplate dgname=appDevices dns-primary=192.168.100.5 dns-secondary=192.168.100.6 op-command-modes=jumbo-frame,mgmt-interface-swap dhcp-send-hostname=yes dhcp-send-client-id=yes dhcp-accept-server-hostname=yes dhcp-accept-server-domain=yes
Note: mgmt-interface-swap value for op-command-modes is needed only if you are launching PaloAlto firewall on AWS.
Once PaloAlto firewall is configured and running, to create additional admin users refer to this: 10 Examples to Manage PaloAlto Firewall Users from PAN-OS CLI
The next few sections lists all possible fields that you can provide inside your init-cfg.txt config file.
init-cfg.txt Management Interface Parameters (Static IP)
The following fields are related to how the management interface on your firewall are configured:
- type – This is a required field. Value can either be static or dhcp-client. This indicates the type of management ip address.
- ip-address – If you specify static for type field and using IPv4, use this field to specify the ip-address of you management interface. For firewalls running on AWS you can’t specify the management ip address here, and the firewall will ignore it even if you specify it using this field. This field is ignored when the type is dhcp-client.
- netmask – If you specify static for type field and using IPv4, use this field to specify the netmask for your management interface. This field is ignored when the type is dhcp-client.
- default-gateway – If you specify static for type field and using IPv4, use this field to specify the default gateway for your management interface. This field is ignored when the type is dhcp-client.
- ipv6-address – This is similar to the ip-address field, but for IPv6 address. Use this to specify IPv6 address and /prefix length. This field is ignored when the type is dhcp-client.
- ipv6-default-gateway – This is similar to default-gateway field, but for IPv6 address. Use this to specify the IPv6 default gateway for the management interface. This field is ignored when the type is dhcp-client.
init-cfg.txt Management Interface Parameters (Dynamic IP)
Use the following fields are only for DHCP client type. i.e Only when you’ve set value for type field to dhcp-client
- dhcp-send-hostname – The value for this field can be either yes or no. If the value is yes, the firewall will send the hostname to DHCP server.
- dhcp-send-client-id – The value for this field can be either yes or no. If the value is yes, the firewall will send the client ID to DHCP server.
- dhcp-accept-server-hostname – The value for this field can be either yes or no. If the value is yes, the firewall will accept the hostname from the DHCP server.
- dhcp-accept-server-domain – The value for this field can be either yes or no. If the value is yes, the firewall will accept the DNS server from the DHCP server.
init-cfg.txt Panorama Related Parameters
Use the following fields only if you are using Panorama to centrally manage all your firewalls:
- panorama-server – When using Panorama to centrally manage all your firewalls, use this field to specify either the IPv4 or IPv6 address of your panorama server.
- panorama-server-2 – If you have two panoramas running in primary/secondary mode, use the above field to specify the ip-address of your primary panorama server, and use this field to specify the ip-address of your secondary panorama server.
- tplname – tpl stands for Template. If you are using templates that were created in Panorama to centrally manage and push configuration settings to your firewalls, use this field to specify the template stack name in Panorama to which this firewall belongs.
- dgname – dg stands for Device Group. If you are using device groups that were created in Panorama to push policy rules to your firewalls, use this field to specify the device group name in Panorama to which this firewall belongs.
- cgname – cg stands for Collector group. If you are using Panorama to centrally manage all the logs from different firewalls, use this field to specify the log collector group name in Panorama where this firewall should forward the logs to.
- vm-auth-key – When you are centrally managing all your firewall licenses from Panorama, generate a VM auth key on Panorama, and specify that authentication key as value to this field.
init-cfg.txt Additional Parameters
The following are additional fields that you can specify in you config file:
- hostname – Specify a host name for your firewall using this field. While this field is optional, I highly recommend that you use this field to set a meaningful hostname to your firewall.
- dns-primary – Specify either the IPv4 or IPv6 address of your primary DNS server
- dns-secondary – Specify either IPv4 or IPv6 address of your secondary DNS server
- op-command-modes – There are three possible values for this field: multi-vsys, jumbo-frame, mgmt-interface-swap. You can enter more than one value for this field by using a comma. multi-vsys enables multiple virtual systems for this firewall. jumbo-frame will set the default MTU size to 9192 bytes. Use mgmt-interface-swap when your firewall is running on AWS behind an Application load balancer (ALB) to swap the management interface on the firewall.
- op-cmd-dpdk-pkt-io – The value can either be on or off. When on, this will enable the Data Plane Development Kit (DPDK) on your firewall.
- plugin-op-commands – You can specify your firewall plugin operation commands here. For example, when integrating the firewall with AWS Gateway Load Balancer (GWLB), you can use these values for this field: aws-gwlb-inspect:enable, aws-gwlb-associate-vpce:{value}, aws-gwlb-overlay-routing:enable
- vm-series-auto-registration-pin-id – If you are using Cortex AutoFocus on your firewall, you should specify the corresponding PIN ID to active the license
- vm-series-auto-registration-pin-value – This is the PIN value for the above PIN ID to activate the Cortex AutoFocus license on your firewall.