BrightCloud to PAN-DB Migration Process with Panorama and High-Availability pair

BrightCloud to PAN-DB Migration Process with Panorama and High-Availability pair

31164
Created On 09/25/18 19:48 PM - Last Modified 08/17/21 07:33 AM


Resolution


Overview

This document describes the migration process from BrightCloud to PAN-DB if the managed device has Panorama pushed URL Profiles with BrightCloud categories. Use the below links to migrate the Firewalls after the Panorama Migration to PAN-DB is completed. 

Note:
1. For a multi-vsys environment, see BRIGHTCLOUD TO PAN-DB MIGRATION WITH PANORAMA IN MULTI-VSYS CONFIGURATION.
2. For Firewalls in HA, see HOW TO MIGRATE URL DATABASE FROM BRIGHTCLOUD TO PAN-DB ON HA DEVICES

Migration Process with Panorama

  1. Verify Dynamic URL is enabled on the device.

    > set cli config-output-format set

    > configure

    # show deviceconfig setting url

    If its configured then delete the setting by running the following command:

    # delete deviceconfig setting url dynamic-url

    # commit

  2. License the Palo Alto Networks device with PAN-DB license and activate the license on the device.
    1. Navigate to Device > Licenses
    2. Click Retrieve license keys from license server or Activate feature using auth code
  3. Download the URL DB initial seed file optimized for a specific region:
      1. Navigate to Device > Licenses
      2. Click Download under the Palo Alto Networks URL filtering
        URL Filtering Database Download
  4. Activate PAN-DB on device (click Device > Licenses). This should fail – commit will fail with error "Details:profiles -> url-filtering -> <Profile-name> -> license-expired Not available for PAN-DB", and local policy will be migrated to PAN-DB, while Panorama pushed policy remains BrightCloud.

    PAN-DB URL Filtering 

  5. Switch database on Panorama from BrightCloud to PAN-DB. Command to change DB on Panorama:

    > set system setting url-database paloaltonetworks

  6. Push Panorama configuration to the device with a commit operation. This should report as successful. However, the device will show BrightCloud from a licensing perspective, though URL objects will show PAN-DB categories. Additionally, if attempting to add a new URL filtering object, it will show PAN-DB categories, but BrightCloud settings.
  7. From the device, re-activate PAN-DB. Click Device > Licenses or from the CLI run the command:

    > set system setting url-database paloaltonetworks

  8. Deviceshould be fully migrated to PAN-DB.
  9. Continue to migrate the Managed devices after the above steps are complete. 
     

owner: kalavi
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cle0CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language