This document describes how to migrate the URL database from BrightCloud to PAN-DB on a High Availability (HA) pair of Palo Alto Networks devices.
Steps
Suspend the Passive/Secondary device.
Go to Device > High Availability > Operational commands and suspend local device
Or from the CLI, execute the command below:
> request high-availability state suspend
Run the following command on the Passive/Suspended device, if not already set
> set session tcp-reject-non-syn no
Retrieve PAN-DB URL licenses from Device > Licenses tab.
Activate the PAN-DB license on the suspended device (or Activate the Database from Device > License tab):
> set system setting url-database paloaltonetworks
Once activated, make the secondary device functional with the command below. However, this device will come up as "Non-functional" due to DB mismatch with the peer:
> request high-availability state functional
Note: When the device is showing as "Non-functional" after issuing the command above, all the interface will still be power down except for HA interface and that is expected.
Suspend the Active/Primary device, this will make the secondary device functional. Note: While the device is in non-functional state, the sessions will not be synced. Since non-syn TCP is allowed, most of the existing TCP traffic will not be dropped
Download and activate the PAN-DB license on this device (Steps 3 and 4) .
Both devices are now using PAN-DB, once both devices are functional failover back to the original Primary/Active device.
Revert back to original settings on secondary device:
> set session tcp-reject-non-syn yes
Delete the Brightcloud DB from the firewall once the above steps are completed. It to be done manually as the Database is not removed even after the migrations to PAN-DB is complete. This is to make it easy to switch back to Brightcloud if needed. It is recommended to delete the Brightcloud DB after successful migration to PAN-DB so that the Disk space used by Brightcloud DB can be freed.