Why is pan-db downloaded?

PAN-OS downloads PAN-DB even if you don’t have the URL Filtering license because certain threat prevention features still reference PAN-DB, particularly for ATP-related functions and internal system operations.

Here’s what’s likely going on:

ATP & Threat Prevention Features:
Some advanced threat inspection modules check PAN-DB for context (e.g., to assess malicious behavior of URLs or links embedded in traffic).
Even without URL Filtering enforcement enabled, PAN-OS may still use PAN-DB for backend lookups to improve ATP accuracy.

Automatic System Behavior:
The URL Filtering feature is enabled by default in some templates or base configs.
PAN-OS may continue syncing PAN-DB updates even if no active policy is using it—unless you explicitly disable the feature.
PAN-OS Internal Dependencies:
PAN-OS 10.x and newer versions are tightly integrated across feature sets, so even "unused" components (like PAN-DB) may get partial updates as dependencies of ATP or WildFire inspection.

You can check whether URL Filtering is truly in use by running:
> show running security-policy
> show url-filtering rules

Also in GUI:

Go to Objects > Security Profiles > URL Filtering
Check if any profile is assigned to a security policy
If you see profiles attached to rules—even empty or default ones—it can trigger PAN-DB update behavior.

If you're absolutely sure you don’t need PAN-DB:

1.Remove URL Filtering Profiles from all policies.

2. Disable PAN-DB from auto-updating (though not directly configurable, you can try limiting its access):
Block update server access to updates.paloaltonetworks.com for PAN-DB (not ideal if ATP still needs it).
Or disable the URL Filtering license from Device > Licenses if trial was previously activated (contact support if needed).

PAN-OS 10.2.8-h5 and 10.2.11 are both stable, but the behavior is consistent across these because it’s design behavior, not a bug.