Create the init-cfg.txt File
Create a new text file. Use a text editor such as Notepad, EditPad, or other plain-text editors to create a text file.
Add the basic network configuration for the management interface on the firewall. If any of the required parameters are missing in the file, the firewall exits the bootstrap process and boots up using the default IP address, 192.168.1.1. You can view the system log on the firewall to detect the reason for the bootstrap failure. For errors, see Licensing API. There are no spaces between the key and value in each field. Do not add spaces as they could cause failures during parsing on the mgmtsrvr side. To configure the management interface with a static IP address, you must specify the IP address, type of address, default gateway, and netmask. An IPv4 address is required, IPv6 is optional. For syntax, see Sample init-cfg.txt file (Static IP Address). To configure the management interface as a DHCP client, you must specify only the type of address. If you enable the DHCP client on the management interface, the firewall ignores the IP address, default gateway, netmask, IPv6 address, and IPv6 default gateway values defined in the file. For syntax, see Sample init-cfg.txt file (DHCP Client). When you enable DHCP on the management interface, the firewall takes the DHCP assigned IP address and is accessible over the network. You can view the DHCP assigned IP address on the General Information widget on the Dashboard or with the CLI command show system info . However, the default static management IP address 192.168.1.1 is retained in the running configuration ( show config running ) on the firewall. This static IP address ensures that you can always restore connectivity to your firewall, in the event you lose DHCP access to the firewall.
Add the VM auth key to register a VM-Series firewall with Panorama. To add a VM-Series firewall on Panorama, you must add the VM auth key that you generated on Panorama to the basic configuration (init-cfg.txt) file. For details on generating a key, see Generate the VM Auth Key on Panorama.
Add details for accessing Panorama. Add IP addresses for the primary and secondary Panorama servers. Specify the template and the device group to which you want to assign the firewall.
(Optional) Include additional parameters for the firewall. Add IP address for the primary and secondary DNS servers. Add the hostname for the firewall. Enable either jumbo frames or multiple-virtual systems (or both) Enable swapping of the management interface (mgmt) and the dataplane interface (ethernet 1/1) on the VM-Series firewall in AWS. For more information on changing the management interface, see Management Interface Mapping for Use with Amazon ELB.
The following table describes the fields in the init-cfg.txt file. The type, ip-address, default-gateway, and netmask are required.
Fields in the init-cfg.txt File
Field Description
type= Type of management IP address: static or dhcp-client. This field is required.
ip-address= IPv4 address. This field is ignored if the type is dhcp-client. If the type is static, an IPv4 address is required; the ipv6-address field is optional and can be included. You cannot specify the management IP address and netmask configuration for the VM-Series firewall in AWS and Azure. If defined, the firewall ignores the values you specify.
default-gateway= IPv4 default gateway for the management interface. This field is ignored if the type is dhcp-client. If the type is static, and ip-address is used, this field is required.
netmask= IPv4 netmask. This field is ignored if the type is dhcp-client. If the type is static, and ip-address is used, this field is required.
ipv6-address= (Optional) IPv6 address and /prefix length of the management interface. This field is ignored if the type is dhcp-client. If the type is static, this field can be specified along with the ip-address field, which is required.
ipv6-default-gateway= IPv6 default gateway for the management interface. This field is ignored if the type is dhcp-client. If the type is static and ipv6-address is used, this field is required.
hostname= Host name for the firewall.
panorama-server= IPv4 or IPv6 address of the primary Panorama server. This field is not required but recommended for centrally managing your firewalls.
panorama-server-2= IPv4 or IPv6 address of the secondary Panorama server. This field is not required but recommended.
tplname= Panorama template name. If you add a Panorama server IP address, as a best practice create a template on Panorama and enter the template name in this field so that you can centrally manage and push configuration settings to the firewall.
dgname= Panorama device group name. If you add a Panorama server IP address, as a best practice create a device group on Panorama and enter the device group name in this field so that you can group the firewalls logically and push policy rules to the firewall.
dns-primary= IPv4 or IPv6 address of the primary DNS server.
dns-secondary= IPv4 or IPv6 address of the secondary DNS server.
vm-auth-key= Virtual machine authentication key. (This field is ignored when bootstrapping hardware firewalls.)
op-command-modes= The following values are allowed: multi-vsys, jumbo-frame, mgmt-interface-swap. If you enter multiple values, use a space or a comma to separate the entries. multi-vsys—(For hardware-based firewalls only) Enables multiple virtual systems. jumbo frames—Enables the default MTU size for all Layer 3 interfaces to be set at 9192 bytes. mgmt-interface-swap—(For VM-Series firewall in AWS only) Allows you to swap the management interface (MGT) with the dataplane interface (ethernet 1/1) when deploying the firewall. For details, see Management Interface Mapping for Use with Amazon ELB.
dhcp-send-hostname= The value of yes or no comes from the DHCP server. If yes, the firewall will send its hostname to the DHCP server. This field is relevant only if type is dhcp-client.
dhcp-send-client-id= The value of yes or no comes from the DHCP server. If yes, the firewall will send its client ID to the DHCP server. This field is relevant only if type is dhcp-client.
dhcp-accept-server-hostname= The value of yes or no comes from the DHCP server. If yes, the firewall will accept its hostname from the DHCP server. This field is relevant only if type is dhcp-client.
dhcp-accept-server-domain= The value of yes or no comes from the DHCP server. If yes, the firewall will accept its DNS server from the DHCP server. This field is relevant only if type is dhcp-client.
The following sample basic configuration (init-cfg.txt) files shows all the parameters that are supported in the file; required parameters are in bold.
Sample init-cfg.txt file (Static IP Address) Sample init-cfg.txt file (DHCP Client)
type=static ip-address=10.5.107.19 default-gateway=10.5.107.1 netmask=255.255.255.0 ipv6-address=2001:400:f00::1/64 ipv6-default-gateway=2001:400:f00::2 hostname=Ca-FW-DC1 vm-auth-key=755036225328715 panorama-server=10.5.107.20 panorama-server-2=10.5.107.21 tplname=FINANCE_TG4 dgname=finance_dg dns-primary=10.5.6.6 dns-secondary=10.5.6.7 op-command-modes=jumbo-frame, mgmt-interface-swap** dhcp-send-hostname=no dhcp-send-client-id=no dhcp-accept-server-hostname=no dhcp-accept-server-domain=no type=dhcp-client ip-address= default-gateway= netmask= ipv6-address= ipv6-default-gateway= hostname=Ca-FW-DC1 vm-auth-key=755036225328715 panorama-server=10.5.107.20 panorama-server-2=10.5.107.21 tplname=FINANCE_TG4 dgname=finance_dg dns-primary=10.5.6.6 dns-secondary=10.5.6.7 op-command-modes=jumbo-frame, mgmt-interface-swap** dhcp-send-hostname=yes dhcp-send-client-id=yes dhcp-accept-server-hostname=yes dhcp-accept-server-domain=yes
You cannot specify the management IP address and netmask configuration for the VM-Series firewall in AWS. If defined, the firewall ignores the values you specify because AWS uses a back-end metadata file to assign the management IP address and netmask. **The mgmt-interface-swap operational command pertains only to a VM-Series firewall in AWS.

Related Documentation