Upload the PAN-OS VM-Series image

Now that you have downloaded the necessary command-line interface (CLI) tools and prepared your network, we can upload the PAN-OS VM-series image in preparation for deploying it in the next lesson.

Prerequisites:

• CLI tools downloaded and prepared.
• Network prepared for firewall deployment.

In this lesson, you will:

• Prepare the PAN-OS VM-Series image and upload it to your environment.

Prepare the PAN-OS VM-Series image

Most users are familiar with hypervisors that store installation media like ISOs or QCOW2 images directly within their platform, like a datastore. We will describe a similar concept in this guide, but keep in mind that OpenShift provides several image storage options for installation media, including:

• Locally stored installation media via a PersistentVolumeClaim (PVC).
• Remotely via an artifact server (such as Artifactory).
• Remotely via a file server.
• Remotely via a container registry (such as Quay).

This lesson will walk you through uploading installation media to OpenShift directly using the PVC method.

Upload PAN-OS QCOW2

Follow these instructions to upload PAN-OS QCOW2:

1. Download a PAN-OS QCOW2 KVM image from https://support.paloaltonetworks.com/.
2. Once you’re logged into the Palo Alto Networks support portal, navigate to Updates > Software Updates.
3. Under Filters, choose PAN-OS for VM-Series KVM Base Images under Content type. You can use the Search box to filter on a specific version. In this lesson, we will use the image 11.1.4-h13 of PAN-OS QCOW2 KVM as a consistent example.
4. Click the image name under the Download column (i.e., PA-VM-KVM-11.1.4-h13.qcow2).

5. Create a new Namespace in OpenShift. We will be using the CLI a bit during this process, so make sure your KUBECONFIG is exported correctly. Let’s do this via the command line:

   $ export KUBECONFIG=$HOME/Downloads/kubeconfig $ oc get nodes NAME   STATUS  ROLES  AGE  VERSION ocp-01     Ready   control-plane,master,worker  28h  v1.31.7 $ export namespace=demo-pan $ oc new-project $namespace

   Once you’ve created the Namespace with the oc new-project command, you will be placed directly into that Namespace/Project automatically.

6. Now upload the QCOW2 image directly to an OpenShift PVC by using the virtctl utility (which you downloaded in the previous lesson). The next command assumes you have a default StorageClass configured. You also need to allot for 65Gi, because this is what Palo Alto requires for their QCOW2 image file. Don’t make the mistake of reducing this size, as it will fail to load properly if you change this parameter. See the following:

   $ virtctl image-upload dv pa-vm-kvm-11-1-4-h13 \  --size=65Gi \  --image-path=$HOME/Downloads/PA-VM-KVM-11.1.4-h13.qcow2 \  --access-mode=ReadWriteOnce \  --namespace=$namespace \  --insecure

   Take note of the --image-path location for the QCOW2 image above.

   Hint: Uploading the QCOW2 image will launch a really important Pod that you can use for troubleshooting, should there be any issues. It will be in the same namespace you’re working within—for example demo-pan. You can look for the Pod called cdi-upload-prime-*. This pod is used to convert the QCOW2 image into a block device that can be leveraged for your firewall disks.

 With the QCOW2 image loaded successfully, you can continue with the next section. If you have any issues with uploading the image to a PVC, make sure you’re looking at the logs for the cdi-upload-prime-* pod (provided in the Hint above).