This document describes the migration process from BrightCloud to PAN-DB if the managed device has Panorama pushed URL Profiles with BrightCloud categories. Use the below links to migrate the Firewalls after the Panorama Migration to PAN-DB is completed.
If its configured then delete the setting by running the following command:
# delete deviceconfig setting url dynamic-url
# commit
License the Palo Alto Networks device with PAN-DB license and activate the license on the device.
Navigate to Device > Licenses
Click Retrieve license keys from license server or Activate feature using auth code
Download the URL DB initial seed file optimized for a specific region:
Navigate to Device > Licenses
Click Download under the Palo Alto Networks URL filtering
Activate PAN-DB on device (click Device > Licenses). This should fail – commit will fail with error "Details:profiles -> url-filtering -> <Profile-name> -> license-expired Not available for PAN-DB", and local policy will be migrated to PAN-DB, while Panorama pushed policy remains BrightCloud.
Switch database on Panorama from BrightCloud to PAN-DB. Command to change DB on Panorama:
> set system setting url-database paloaltonetworks
Push Panorama configuration to the device with a commit operation. This should report as successful. However, the device will show BrightCloud from a licensing perspective, though URL objects will show PAN-DB categories. Additionally, if attempting to add a new URL filtering object, it will show PAN-DB categories, but BrightCloud settings.
From the device, re-activate PAN-DB. Click Device > Licenses or from the CLI run the command:
> set system setting url-database paloaltonetworks
Deviceshould be fully migrated to PAN-DB.
Continue to migrate the Managed devices after the above steps are complete.