Bootstrap a Firewall Using a USB Flash Drive
Focus
Focus

Bootstrap a Firewall Using a USB Flash Drive

Table of Contents

Bootstrap a Firewall Using a USB Flash Drive

After you receive a new Palo Alto Networks firewall and a USB flash drive loaded with bootstrap files, you can bootstrap the firewall.
Microsoft Windows and Apple Mac operating systems are unable to read the bootstrap USB flash drive because the drive is formatted using an ext4 file system. You must install third-party software or use a Linux system to read the USB drive.
  1. The firewall must be in a factory default state or must have all private data deleted.
  2. To ensure connectivity with your corporate headquarters, cable the firewall by connecting the management interface (MGT) using an Ethernet cable to one of the following:
    • An upstream modem
    • A port on the switch or router
    • An Ethernet jack in the wall
  3. Insert the USB flash drive into the USB port on the firewall and power on the firewall. The factory default firewall bootstraps itself from the USB flash drive.
    The firewall Status light turns from yellow to green when the firewall is configured; autocommit is successful.
  4. Verify bootstrap completion. You can see basic status logs on the console during the bootstrap and you can verify that the process is complete.
    1. If you included Panorama values (panorama-server, tplname, and dgname) in your init-cfg.txt file, check Panorama managed devices, device group, and template name.
    2. Verify the general system settings and configuration by accessing the web interface and selecting DashboardWidgetsSystem or by using the CLI operational commands show system info and show config running.
    3. Verify the license installation by selecting DeviceLicenses or by using the CLI operational command request license info.
    4. If you have Panorama configured, manage the content versions and software versions from Panorama. If you do not have Panorama configured, use the web interface to manage content versions and software versions.
  5. (Panorama managed firewalls only) Create a device registration authentication key and add it to the firewall.
    This is required to successfully add a bootstrapped firewall to Panorama management. The device registration authentication key has a finite lifetime and including the device registration authentication key in the init-cfg.txt file is not supported.
    1. Log in to the Panorama web interface.
    2. Select PanoramaDevice Registration Auth Key and Add a new authentication key.
    3. Configure the authentication key.
      • Name—Add a descriptive name for the authentication key.
      • Lifetime—Specify the key lifetime to limit how long you can use the authentication key to onboard new firewalls.
      • Count—Specify how many times you can use the authentication key to onboard new firewalls.
      • Device Type—Specify that this authentication key is used to authenticate only a Firewall.
        You can select Any to use the device registration authentication key to onboard firewalls, Log Collectors, and WildFire appliances.
      • (Optional) Devices—Enter one or more device serial numbers to specify for which firewalls the authentication key is valid.
    4. Click OK.
      When prompted, Copy Auth Key and Close.
    5. Log in to the firewall web interface.
      You can also log in to the firewall CLI to add the device registration authentication key.
      admin> request authkey set <auth key>
    6. Select DeviceSetupManagement and edit the Panorama Settings.
    7. Paste the device registration authentication key you copied in the previous step and click OK.
    8. Commit.
    9. Log in to the Panorama web interface and select PanoramaManaged DevicesSummary to verify the firewall is Connected to Panorama