Configure the PAN-DB Private Cloud

Learn how to configure the PAN-DB private cloud on one or more Palo Alto Networks M-600 appliances in preparation for deployment on your network.
Where can I use this?
What do I need?
  • PAN-OS
  • Advanced URL Filtering license
  1. Rack mount the M-600 appliance.
    Refer to the M-600 Hardware Reference Guide for instructions.
  2. Register the M-600 appliance.
  3. Perform initial configuration of the M-600 Appliance.
    The M-600 appliance in PAN-DB mode uses two ports- MGT (Eth0) and Eth1; Eth2 is not used in PAN-DB mode. The management port is used for administrative access to the appliance and for obtaining the latest content updates from the PAN-DB public cloud. For communication between the appliance (PAN-DB server) and the firewalls on the network, you can use the MGT port or Eth1.
    1. Connect to the M-600 appliance in one of the following ways:
      • Attach a serial cable from a computer to the Console port on the M-600 appliance and connect using a terminal emulation software (9600-8-N-1).
      • Attach an RJ-45 Ethernet cable from a computer to the MGT port on the M-600 appliance. From a browser, go to Enabling access to this URL might require changing the IP address on the computer to an address in the network (for example,
    2. When prompted, log in to the appliance. Log in using the default username and password (admin/admin). The appliance will begin to initialize.
    3. Configure network access settings including the IP address for the MGT interface:
      set deviceconfig system ip-address
      dns-setting servers primary
      is the IP address you want to assign to the management interface of the server,
      is the subnet mask,
      is the IP address of the network gateway, and
      is the IP address of the primary DNS server.
    4. Configure network access settings including the IP address for the Eth1 interface:
      set deviceconfig system eth1 ip-address
      dns-setting servers primary
      is the IP address you want to assign to the data interface of the server,
      is the subnet mask,
      is the IP address of the network gateway, and
      is the IP address of the DNS server.
    5. Save your changes to the PAN-DB server.
  4. Switch to PAN-DB private cloud mode.
    1. To switch to PAN-DB mode, use the CLI command:
      request system system-mode pan-url-db
      You can switch from Panorama mode to PAN-DB mode and back; and from Panorama mode to Log Collector mode and back. Switching directly from PAN-DB mode to Log Collector mode or vice versa is not supported. When switching operational mode, a data reset is triggered. With the exception of management access settings, all existing configuration and logs will be deleted on restart.
    2. Use the following command to verify that the mode is changed:
      show pan-url-cloud-status
      hostname: M-600 ip-address: netmask: default-gateway: ipv6-address: unknown ipv6-link-local-address: fe80:00/64 ipv6-default-gateway: mac-address: 00:56:90:e7:f6:8e time: Mon Apr 27 13:43:59 2015 uptime: 10 days, 1:51:28 family: m model: M-600 serial: 0073010000xxx sw-version: 7.0.0 app-version: 492-2638 app-release-date: 2015/03/19 20:05:33 av-version: 0 av-release-date: unknown wf-private-version: 0 wf-private-release-date: unknown logdb-version: 7.0.9 platform-family: m pan-url-db: 20150417-220
      system-mode: Pan-URL-DB
      operational-mode: normal
    3. Use the following command to check the version of the cloud database on the appliance:
      show pan-url-cloud-status
      Cloud status: Up URL database version: 20150417-220
  5. Install content and database updates.
    The appliance only stores the currently running version of the content and one earlier version.
    Pick one of the following installation methods:
    • If the PAN-DB server has direct Internet access use the following commands:
      • To check whether a new version is published use:
        request pan-url-db upgrade check
      • To check the version that is currently installed on your server use:
        request pan-url-db upgrade info
      • To download and install the latest version:
        request pan-url-db upgrade download latest
      • request pan-url-db upgrade install
        <version latest
      • To schedule the M-600 appliance to automatically check for updates:
        set deviceconfig system update-schedule pan-url-db recurring weekly action download-and-install day-of-week
        <day of week>
    • If the PAN-DB server is offline, access Palo Alto Networks Customer Support website to download and save the content updates to an SCP server on your network. You can then import and install the updates using the following commands:
      • scp import pan-url-db remote-port
        from username@host:path
      • request pan-url-db upgrade install file
  6. Set up administrative access to the PAN-DB private cloud.
    The appliance has a default
    account. Any additional administrative users that you create can either be superusers (with full access) or superusers with read-only access.
    PAN-DB private cloud does not support the use of RADIUS VSAs. If the VSAs used on the firewall or Panorama are used for enabling access to the PAN-DB private cloud, an authentication failure will occur.
    • To set up a local administrative user on the PAN-DB server:
      1. configure
      2. set mgt-config users
        permissions  role-based <superreader | superuser> yes
      3. set mgt-config users
      4. Enter password:xxxxx
      5. Confirm password:xxxxx
      6. commit
    • To set up an administrative user with RADIUS authentication:
      1. Create RADIUS server profile.
        set shared server-profile radius
      2. Create authentication-profile.
        set shared authentication-profile
        allow-list <all> method radius server-profile
      3. Attach the authentication-profile to the user.
        set mgt-config users
      4. Commit the changes.
    • To view the list of users:.
      show mgt-config users
      users { admin { phash fnRL/G5lXVMug; permissions { role-based { superuser yes; } } } admin_user_2 { permissions { role-based { superreader yes; } } authentication-profile RADIUS; } }

Recommended For You