From the Experts: Migrating from BrightCloud to PAN-DB in a Multi-VSYS HA Cluster Environment
Symptom
Resolution
Suspend the secondary passive firewall
Verify whether Dynamic URL filtering is enabled on the device.
> set cli config-output-format set
> configure
# show deviceconfig setting url
If it is configured, then delete the setting by running the following commands:
# delete deviceconfig setting url dynamic-url
# commit
License the Palo Alto Networks device with PAN-DB license and activate the license on the device.
- Navigate to Device > Licenses
- Click Retrieve license keys from license server or Activate feature using auth code
Download the URL DB initial seed file optimized for a specific region.
- Navigate to Device > Licenses
- Click Download under the Palo Alto Networks URL filtering
On the firewall, activate PAN-DB (Device > Licenses). This should fail. That is the commit will fail and the local policy will be migrated to PAN-DB, while Panorama pushed policy remains BrightCloud.
On the firewall, clear old URL cache from the management plane and data plane and reactivate PAN-DB.
Delete cache from Data Plane
> clear url-cache all
Delete cache from Management Plane
> delete url-database all
Re-downloading PAN-DB URL- can be done in two ways:
Via the CLI: request url-filtering download paloaltonetworks region <region>
request url-filtering download status vendor paloaltonetworks (to check download status)
Via the WebGUI: Go to Device->Licenses, and press download under “Palo Alto Networks database URL filtering”
Activate PAN-DB
> set system setting url-database paloaltonetworks
At this point, the firewall will have switched to PAN-DB URL Filtering Database.
Check the used URL filtering database and version and the URL Fitlering profiles on each VSYS.
> show system info | match url-db
url-db: paloaltonetworks
> show system info | match url-filtering-version
url-filtering-version: 2016.01.07.219
Check that the URL filtering categories have migrated to the new format.
To double check, the easiest way is to check a URL Filtering Profile ( default ) and look at the categories text.
- If the URL Filtering profiles are still in Brightcloud format they will show “Cult and Occult”.
- If the URL Filtering profiles migrated to PAN-DB format they will show “Religion” instead.
- In case the categories still show in Brightcloud format, an extra step is needed :
OPTIONAL (if check fails)--
On Panorama, push the Panorama config one vsys (or device group commit) at a time from Panorama to firewall.
After all commits are finished, run the checks again.
Change high availability state of the secondary suspended device to functional
The secondary device will move to a non-functional state, which is the expected behavior.
The failover is due to the mismatch of the URL vendor between the HA pair of devices.
Further, if different URL vendors are used on the HA pair of devices, the one with PAN-DB will go into the non-functional state. For example, if the scenario has the active device using BrightCloud and passive device with PAN-DB, the passive unit with PAN-DB will go into the non-functional state.
Suspend high availability state of the primary active device
This will cause the Secondary Firewall to move to Active state and take over the traffic.
Apply the same procedure to migrate from Brightcloud to PAN-DB URL filtering database.
Change high availability state of the primary suspended device to functional
The primary device will move to state passive.
If the pre-emptive option is enabled, it will move to Active state after the Hold time expires.
Check high availability synchronization
Check that the two firewalls are in sync on the Dashboard -- High Availability widget.
If running configurations appear to be out of sync, run the configuration synchronization from the primary device towards the secondary one.
Otherwise, another failover is needed to bring the primary firewall to the active state and secondary firewall to the passive state.
The migration on both devices in the high availability cluster is now complete.