Palo Alto Networks Knowledgebase: Using Panorama to Manage Devices with PAN-DB and Devices Not Licensed for URL Filtering

Using Panorama to Manage Devices with PAN-DB and Devices Not Licensed for URL Filtering

Created On 02/07/19 23:47 PM - Last Updated 02/07/19 23:47 PM
Cortex Data Lake Panorama


When using Panorama to manage devices with PAN-DB and devices not licensed for URL filtering, a commit error on the unlicensed devices may occur:

> show jobs id 309

Enqueued                 ID      Type      Status Result Completed


2013/04/15 16:09:44     309    CommitAll     FIN   FAIL   16:09:50


Details:profiles -> url-filtering -> test_url  is missing 'license-expired'



The default URL database on PAN-OS is currently BrightCloud. To resolve the commit error when Panorama is set to PAN-DB, the current database on PAN-OS must be changed from BrightCloud to PAN-DB to match Panorama. Download and activate a PAN-DB eval license following the steps below:

  1. Log into the support portal ( using your login credentials.
  2. After logging in, go to the devices page by clicking on My Devices under managed devices.
  3. Under the My Devices screen, look up the appropriate serial number to find the device requiring a trial license.
  4. Click the trial licenses link on the right under the action field.
  5. Eval features available to you are displayed.  Choose "30 day trial for PAN-DB URL Filtering" and click activate.
  6. After the trial license is activated, go back to the Palo Alto Networks firewall and retrieve license keys from the license server by clicking the link under License Management.


Refer to the following document for instructions on installing and activating PAN-DB: PAN-DB Activation/Installation


When changing the database on devices that are connected to Panorama

  • Disable the shared config
    • Go to to Device > Setup > Management > Panorama Settings
    • Click "Disable Panorama Policy and Objects"
    • Do not check the box labeled "Import Panorama Policy and Objects before disabling"
      • Leaving the box unchecked prevents the device from copying the Panorama pushed configuration elements as local elements when the shared policy is disabled.
      • Checking the box creates duplicate objects when the device is reconnected to Panorama, which may cause commits to fail.


As the Panorama pushed elements are temporarily disabled on the managed device during the transition, the Panorama pushed objects/policies are temporarily unavailable for configuration/policy enforcement. When the transition to PAN-DB has been completed, re-enable Panorama Policy and Objects.

Note: When the eval license expires, PAN-DB remains the active URL filtering vendor.  However, there may be a commit time warning about an expired license. If you want to remove this warning, simply delete the PAN-DB license from the device.


owner: nayubi

  • Print
  • Copy Link

Choose Language