Learn about deploying a Palo Alto Networks M-600 or M-700 appliance in private cloud mode
and differences between the PAN-DB public and private clouds.
Note: Legacy URL filtering licenses are discontinued,
but active legacy licenses are still supported.
To deploy a PAN-DB private cloud, you need one or more M-600 or M-700 appliances. Both appliances ship in
Panorama mode, but to be deployed as a PAN-DB private cloud, you must configure them to
operate in PAN-URL-DB mode. In PAN-URL-DB mode, the appliance provides URL
categorization services for enterprises that do not want to use the PAN-DB public
cloud.
The M-600 and M-700 appliance, when deployed as a PAN-DB private cloud, uses two ports—MGT (Eth0)
and Eth1; Eth2 is not available for use. The management port is used for administrative
access to the appliance and for obtaining the latest content updates from the PAN-DB
public cloud or a server on your network. For communication between the PAN-DB private
cloud and the firewalls on your network, you can use the MGT port or Eth1.
The M-200 appliance cannot be deployed as a PAN-DB private cloud.
The M-600 and M-700 appliance in PAN-URL-DB mode:
Does not have a web interface, it only supports a command
line interface (CLI).
Cannot be managed by Panorama.
Cannot be deployed in a high availability pair.
Does not require a URL Filtering license. The firewalls,
must have a valid PAN-DB URL Filtering license to connect with and
query the PAN-DB private cloud.
Ships with a set of default server certificates that are used to authenticate the firewalls that
connect to the PAN-DB private cloud. You cannot import or use another server
certificate for authenticating the firewalls. If you change the hostname on
either appliance, the appliance automatically generates a new set of
certificates to authenticate the firewalls that it services.
Can be reset to Panorama mode only. If you want to deploy the appliance as a Dedicated Log
Collector, switch to Panorama mode, and then set it in Log Collector mode.
