Focus

Advanced URL Filtering

Configure the PAN-DB Private Cloud

Table of Contents

Configure Firewalls to Access the PAN-DB Private Cloud

Configure the PAN-DB Private Cloud

Learn how to configure the PAN-DB private cloud on one or more Palo Alto Networks M-600 appliances in preparation for deployment on your network.

Where can I use this?	What do I need?
PAN-OS	Advanced URL Filtering license (or a legacy URL filtering license) Note: Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.

Rack mount the M-600 appliance.

Refer to the M-600 Hardware Reference Guide for instructions.

Perform initial configuration of the M-600 Appliance.

The M-600 appliance in PAN-DB mode uses two ports- MGT (Eth0) and Eth1; Eth2 is not used in PAN-DB mode. The management port is used for administrative access to the appliance and for obtaining the latest content updates from the PAN-DB public cloud. For communication between the appliance (PAN-DB server) and the firewalls on the network, you can use the MGT port or Eth1.

Connect to the M-600 appliance in one of the following ways:

Attach a serial cable from a computer to the Console port on the M-600 appliance and connect using a terminal emulation software (9600-8-N-1).

Attach an RJ-45 Ethernet cable from a computer to the MGT port on the M-600 appliance. From a browser, go to https://192.168.1.1. Enabling access to this URL might require changing the IP address on the computer to an address in the 192.168.1.0 network (for example, 192.168.1.2).

When prompted, log in to the appliance. Log in using the default username and password (admin/admin). The appliance will begin to initialize.

Configure network access settings including the IP address for the MGT interface:

set deviceconfig system ip-address  <server-IP> netmask <netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>

where <server-IP> is the IP address you want to assign to the management interface of the server, <netmask> is the subnet mask, <gateway-IP> is the IP address of the network gateway, and <DNS-IP> is the IP address of the primary DNS server.

Configure network access settings including the IP address for the Eth1 interface:

set deviceconfig system eth1 ip-address  <server-IP> netmask <netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>

where <server-IP> is the IP address you want to assign to the data interface of the server, <netmask> is the subnet mask, <gateway-IP> is the IP address of the network gateway, and <DNS-IP> is the IP address of the DNS server.

Save your changes to the PAN-DB server.

commit

Switch to PAN-DB private cloud mode.

To switch to PAN-DB mode, use the CLI command:

request system system-mode pan-url-db

You can switch from Panorama mode to PAN-DB mode and back; and from Panorama mode to Log Collector mode and back. Switching directly from PAN-DB mode to Log Collector mode or vice versa is not supported. When switching operational mode, a data reset is triggered. With the exception of management access settings, all existing configuration and logs will be deleted on restart.

Use the following command to verify that the mode is changed:

show pan-url-cloud-status 
hostname: M-600 
ip-address: 1.2.3.4 
netmask: 255.255.255.0 
default-gateway: 1.2.3.1 
ipv6-address: unknown 
ipv6-link-local-address: fe80:00/64 
ipv6-default-gateway: 
mac-address: 00:56:90:e7:f6:8e 
time: Mon Apr 27 13:43:59 2015 
uptime: 10 days, 1:51:28 
family: m 
model: M-600 
serial: 0073010000xxx 
sw-version: 7.0.0 
app-version: 492-2638 
app-release-date: 2015/03/19  20:05:33 
av-version: 0 
av-release-date: unknown 
wf-private-version: 0 
wf-private-release-date: unknown 
logdb-version: 7.0.9 
platform-family: m 
pan-url-db: 20150417-220 
system-mode: Pan-URL-DB 
operational-mode: normal

Use the following command to check the version of the cloud database on the appliance:

show pan-url-cloud-status 
Cloud status:            Up 
URL database version:    20150417-220

Install content and database updates.

The appliance only stores the currently running version of the content and one earlier version.

Pick one of the following installation methods:

If the PAN-DB server has direct Internet access use the following commands:

To check whether a new version is published use:

request pan-url-db upgrade check

To check the version that is currently installed on your server use:

request pan-url-db upgrade info

To download and install the latest version:

request pan-url-db upgrade download latest

request pan-url-db upgrade install  <version latest | file>

To schedule the M-600 appliance to automatically check for updates:

set deviceconfig system update-schedule pan-url-db recurring weekly action download-and-install day-of-week  <day of week> at <hr:min>

If the PAN-DB server is offline, access Palo Alto Networks Customer Support website to download and save the content updates to an SCP server on your network. You can then import and install the updates using the following commands:

scp import pan-url-db remote-port  <port-number> from username@host:path

request pan-url-db upgrade install file  <filename>

Set up administrative access to the PAN-DB private cloud.

The appliance has a default

admin

account. Any additional administrative users that you create can either be superusers (with full access) or superusers with read-only access.

PAN-DB private cloud does not support the use of RADIUS VSAs. If the VSAs used on the firewall or Panorama are used for enabling access to the PAN-DB private cloud, an authentication failure will occur.

To set up a local administrative user on the PAN-DB server:

configure

set mgt-config users  <username> permissions  role-based <superreader | superuser> yes

set mgt-config users <username> password

Enter password:xxxxx

Confirm password:xxxxx

commit

To set up an administrative user with RADIUS authentication:

Create RADIUS server profile.

set shared server-profile radius  <server_profile_name> server <server_name> ip-address <ip_address> port <port_no> secret <shared_password>

Create authentication-profile.

set shared authentication-profile  <auth_profile_name> user-domain <domain_name_for_authentication> allow-list <all> method radius server-profile <server_profile_name>

Attach the authentication-profile to the user.

set mgt-config users  <username> authentication-profile <auth_profile_name>

Commit the changes.

commit

To view the list of users:.

show mgt-config users
users {
admin {
phash fnRL/G5lXVMug;
permissions {
role-based {
superuser yes;
}
}
}
admin_user_2 {
permissions {
role-based {
superreader yes;
}
}
authentication-profile RADIUS;
}
}

Configure the firewalls to access the PAN-DB private cloud.

Set Up PAN-DB Private Cloud

Configure Firewalls to Access the PAN-DB Private Cloud