Palo Alto Networks Knowledgebase: BrightCloud to PAN-DB Migration Process with Panorama and High-Availability pair

BrightCloud to PAN-DB Migration Process with Panorama and High-Availability pair

4253
Created On 07/29/19 17:23 PM - Last Updated 07/29/19 17:51 PM
URL Filtering
Resolution

Overview

This document has two sections. The first part describes the migration process from BrightCloud to PAN-DB if the managed device has Panorama pushed URL Profiles with BrightCloud categories. The latter part explains about migrating a high-availability pair.

Note: For a multi-vsys environment, see BrightCloud to PAN-DB Migration with Panorama in Multi-Vsys Configuration.

 

Migration Process with Panorama

  1. Verify Dynamic URL is enabled on the device.

    > set cli config-output-format set

    > configure

    # show deviceconfig setting url

    If its configured then delete the setting by running the following command:

    # delete deviceconfig setting url dynamic-url

    # commit

  2. License the Palo Alto Networks device with PAN-DB license and activate the license on the device.
    1. Navigate to Device > Licenses
    2. Click Retrieve license keys from license server or Activate feature using auth code
  3. Download the URL DB initial seed file optimized for a specific region:
      1. Navigate to Device > Licenses
      2. Click Download under the Palo Alto Networks URL filtering
        URL Filtering Database Download
  4. Activate PAN-DB on device (click Device > Licenses). This should fail – commit will fail with error "Details:profiles -> url-filtering -> <Profile-name> -> license-expired Not available for PAN-DB", and local policy will be migrated to PAN-DB, while Panorama pushed policy remains BrightCloud.

    PAN-DB URL Filtering 

  5. Switch database on Panorama from BrightCloud to PAN-DB. Command to change DB on Panorama:

    > set system setting url-database paloaltonetworks

  6. Push Panorama configuration to the device with a commit operation. This should report as successful. However, the device will show BrightCloud from a licensing perspective, though URL objects will show PAN-DB categories. Additionally, if attempting to add a new URL filtering object, it will show PAN-DB categories, but BrightCloud settings.
  7. From the device, re-activate PAN-DB. Click Device > Licenses or from the CLI run the command:

    > set system setting url-database paloaltonetworks

  8. Deviceshould be fully migrated to PAN-DB.

How to migrate a High-Availability Pair

1. Suspend the passive device.

2. Perform Steps 1 - 4 from the previous section and migrate the passive device to PAN-DB.

3. After confirming that the passive device is successfully migrated, bring the passive device functional. High-Availability will not be formed due to the URL filtering database mismatch.

4. Suspend the Active device. 

Note: There will be a short downtime when migrating a high-availability pair from Brightcloud to PAN-DB as each device must be brought to non-functional state in order to change the URL Filtering database.

5. Perform Steps 1 - 4 from the previous section and migrate the active device to PAN-DB.

6. After confirming that the active device is successfully migrated, bring the active device functional. High-Availability will come be formed as soon as the active device comes back up.

 

owner: kalavi



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cle0CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language