Do a search in the audit like this on the command-line:
$> acat -e "cmd startmsg"
This audit happens when the firewall boots back up. Once you find this message you go back in the audit (back in time) and see if there is any message indicating why the firewall rebooted. You'd run 'acat | less', hit the / key and type startmsg and hit Enter, then arrow-up to search for a message. Most likely there will not be any indication in the audit unless you specifically rebooted the firewall with a command.
Run a command to see if the partitions are full. If a partition fills up it can cause the firewall to crash:
(The /dev partition will always be 100%, so ignore it)
Look for core files from the time of the reboot:
$> ll /var/crash
$> ll /var/log/crash
$> ll /var/diagnostic
You can look in /var/log/daemond.log also to see if anything stands out.
When you run 'cf package list' what is the output? What version is this firewall running?