PAN DB vs Advanced

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN DB vs Advanced

L4 Transporter

Hello ,

 

Just want to know if PAN-DB and Advanced URL are different licensing

 

If Advanced URL is purchased , does it cover PAN-DB

 

We have a customer who puchased Advanced URL  , but not PAN DB

 

 

19 REPLIES 19

Cyber Elite
Cyber Elite

Hi @FWPalolearner ,

 

Yes, the advanced URL filtering license covers access to PAN DB. No need to have separate license for PAN DB if you already have Advanced URL filtering license.

 

Hope it helps!

M

Ok .thanks.

Just small query.

 

When I click on objects tab and go to url filtering .

 

At the bottom it shows url filtering license expired . Is it normal ?

 

How can I check that pan db url actually works

 

 

 

Cyber Elite
Cyber Elite

Hi @FWPalolearner ,

 

Scroll down on this link -> https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resour... and you will see a table of the features in URL and Advanced URL filtering.  The 1st line, "URL filtering database" is PAN-DB.

 

A license expired message is not normal.  You may need to "Retrieve license keys from license server" under Device > License.

 

Yes, you can test URL categorization on the NGFW.  Use the "test url" command on the CLI -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQcCAK.  On the bottom of the link it has special PANW URLs you can test for each category.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

@SutareMayur  Thanks .

 

License part is clear , but i tried to retrive license key but no luck ;

 

below is the snapshot

FWPalolearner_0-1638244893486.png

 

 

Also ,when i go to objects TAB and click on URL filtering , i see below 

 

FWPalolearner_1-1638244960286.png

 

Cyber Elite
Cyber Elite

Hi @FWPalolearner ,

 

That is very strange.  I have the Advanced URL Filtering license, and my license page shows the Advanced and PAN-DB good.  I guess you need to open a TAC case.  Thanks for the pics!

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

@TomYoung  I deleted the PAN_DB license key via CLI

 

Now i cant see PAN DB license ; and only see Advanced License which is valid

 

I tried request license fetch .

 

On the URL Filtering TAB i see below now 

FWPalolearner_0-1638249398529.png

The FW however shows PAN DB is good

(active)> show url-cloud status

PAN-DB URL Filtering
License : valid
Current cloud server : serverlist.urlcloud.paloaltonetworks.com
Cloud connection : connected
Cloud mode : public
URL database version - device : 20211130.20072
URL database version - cloud : 20211130.20072 ( last update time 2021/11/30 05:44:05 )
URL database status : good
URL protocol version - device : pan/2.0.0
URL protocol version - cloud : pan/2.0.0
Protocol compatibility status : compatible

 

I want to get rid of GUI error showing "License Required for URL filtering to Function"

Cyber Elite
Cyber Elite

Hi @FWPalolearner ,

 

Good news!  Excellent work.  Try making a change and committing to see if the GUI error goes away.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Hi @FWPalolearner ,

Just wondering what version of PAN-OS you are using?
Did you finally fix the license expired issues under Device > License ?

 

Thanks,

Sean

Life is full of surprise,
Just embrace it!

Hi @TomYoung 

What PANOS you are using, 

mine is 8.1 but it did not show the A-URL subscription in the WebUI

:'(
thanks

Sean

Life is full of surprise,
Just embrace it!

L0 Member

I'm running 8.1.6 and have the same issue.  Just renewed licenses.  I wound up here searching for an answer to the question of Did Advanced URL Filtering supplant Pan-DB URL Filtering?

I bet it's still common some PA firewall still running PANOS 8.1 version but have been renewed/migrated old PAN-DB lic to Advanced URL Lic because the Old PAN-DB lic has been discontinued since last Nov. The "New" A-URL lic has all the PAN-DB lic (functionality) + the Machine-learning function/new EDL when you upgrade to PANOS 9.x upwards. 

 

Here's the steps taken to fixed the PAN-DB lic issue in PANOS 8.1 by the following steps, and A-URL subscription can be shown in WebUI.

 

1)            Manually download the A-URL license file from the customer support portal (Fetch from the WebUI not working)

2)            Install the A-URL lic key on your firewall (thru WebUI)

3)            Use CLI to remove the old existing (PAN-DB) license

Hope this helps,

Sean

 

**** FYI, the PANOS 8.1 will be end of support by March 2022, it's time to plan for the upgrade. ****

Life is full of surprise,
Just embrace it!

Cyber Elite
Cyber Elite

Hi @SeanDeHarris ,

 

Exactly!  I just did the same thing for a customer the other day.  They upgraded from URL to Advanced URL.  URL is not sold anymore.  We are going to see this a lot.  Your reply should be marked as the solution.  The same process works for 9.1.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.



 I know we had a similar issue and when raising a case with PA TAC they advised to refer to PAN-178194. here is a brief of the reply from PA TAC:

Spoiler
==> PAN-178194: A UI issue in PAN-OS renders the contents of the Inline ML tab in the URL Filtering Profile inaccessible on firewalls licensed for Advanced URL Filtering. Additionally, a message indicating that a License required for URL filtering to function is unavailable displays at the bottom of the UI. These errors do not affect the operation of Advanced URL Filtering or URL Filtering Inline ML.

+ Workaround: Configuration settings for URL Filtering Inline ML must be applied through the CLI. The following configuration commands are available:

+ Define URL exceptions for specific web sites:

# configure
# set profiles url-filtering <url_filtering_profile_name> mlav-category-exception


+ Configuration settings for each inline ML model:

# configure
# set profiles url-filtering <url_filtering_profile_name> mlav-engine-urlbased-enabled


==> The target Fix versions for this issue are 9.0.16, 9.1.13, 10.0.9 and 10.1.5. You can also either ignore the warning message about the URL license or apply the workaround mentioned previously through the CLI.

 Hope that help all


@SeanDeHarris Thanks for the info - any idea how to automat this ? we have a customer with over 150 devices worldwide so we can't really do this one-by-one...

 

BR,

Yaakov (kobi) H


Please mark helpful responses, so others know as well

Cyber Elite
Cyber Elite

Hi @Kobiher ,

 

With regard to automating CLI, you could look into Ansible, Python Parmiko, Expect, etc.  Your question probably should be a separate post under this forum -> https://live.paloaltonetworks.com/t5/automation-api-discussions/bd-p/TechnologiesSDKsDiscussions.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 11558 Views
  • 19 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!