Bootstrap a Firewall Using a USB Flash Drive

The firewall must be in a factory default state or must have all private data deleted.
To ensure connectivity with your corporate headquarters, cable the firewall by connecting the management interface (MGT) using an Ethernet cable to one of the following:
An upstream modem
A port on the switch or router
An Ethernet jack in the wall
Insert the USB flash drive into the USB port on the firewall and power on the firewall. The factory default firewall bootstraps itself from the USB flash drive.
The firewall Status light turns from yellow to green when the firewall is configured; autocommit is successful.
Verify bootstrap completion. You can see basic status logs on the console during the bootstrap and you can verify that the process is complete.
If you included Panorama values (panorama-server, tplname, and dgname) in your init-cfg.txt file, check Panorama managed devices, device group, and template name.
Verify the general system settings and configuration by accessing the web interface and selecting
Dashboard
Widgets
System
or by using the CLI operational commands
show system info
and
show config running
.
Verify the license installation by selecting
Device
Licenses
or by using the CLI operational command
request license info
.
If you have Panorama configured, manage the content versions and software versions from Panorama. If you do not have Panorama configured, use the web interface to manage content versions and software versions.
(
Panorama managed firewalls only
) Create a device registration authentication key and add it to the firewall.
This is required to successfully add a bootstrapped firewall to Panorama management. The device registration authentication key has a finite lifetime and including the device registration authentication key in the init-cfg.txt file is not supported.
Log in to the Panorama web interface.
Select
Panorama
Device Registration Auth Key
and
Add
a new authentication key.
Configure the authentication key.
Name
—Add a descriptive name for the authentication key.
Lifetime
—Specify the key lifetime to limit how long you can use the authentication key to onboard new firewalls.
Count
—Specify how many times you can use the authentication key to onboard new firewalls.
Device Type
—Specify that this authentication key is used to authenticate only a
Firewall
.
You can select
Any
to use the device registration authentication key to onboard firewalls, Log Collectors, and WildFire appliances.
(
Optional
)
Devices
—Enter one or more device serial numbers to specify for which firewalls the authentication key is valid.
Click
OK
.
When prompted,
Copy Auth Key
and
Close
.
Log in to the firewall web interface.
You can also log in to the firewall CLI to add the device registration authentication key.
admin> 
request authkey set <auth key>
Select
Device
Setup
Management
and edit the Panorama Settings.
Paste the device registration authentication key you copied in the previous step and click
OK
.
Commit
.
Log in to the Panorama web interface and select
Panorama
Managed Devices
Summary
to verify the firewall is
Connected
to Panorama