Configure the PAN-DB Private Cloud
Focus
Focus
Advanced URL Filtering

Configure the PAN-DB Private Cloud

Table of Contents

Configure the PAN-DB Private Cloud

Learn how to configure the PAN-DB private cloud on one or more Palo Alto Networks M-600 or M-700 appliances in preparation for deployment on your network.
Where can I use this?What do I need?
  • NGFW (Managed by PAN-OS or Panorama)
Note: Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
  1. Rack mount the M-600 or M-700 appliance.
    Refer to the rack installation instructions in the relevant hardware reference guide.
  2. Register the appliance.
  3. Perform initial configuration of the appliance.
    The M-600 and M-700 appliances, in PAN-DB mode, use two ports—MGT (Eth0) and Eth1; Eth2 is not used in PAN-DB mode. The management port is used for administrative access to the appliance and for obtaining the latest content updates from the PAN-DB public cloud. For communication between the appliance (PAN-DB server) and the firewalls on the network, you can use the MGT port or Eth1.
    1. Connect to the appliance in one of the following ways:
      • Attach a serial cable from a computer to the Console port on the appliance and connect using a terminal emulation software (9600-8-N-1).
      • Attach an RJ-45 Ethernet cable from a computer to the MGT port on the appliance. From a browser, go to https://192.168.1.1. Enabling access to this URL might require changing the IP address on the computer to an address in the 192.168.1.0 network (for example, 192.168.1.2).
    2. When prompted, log in to the appliance. Log in using the default username and password (admin/admin). The appliance will begin to initialize.
    3. Configure network access settings including the IP address for the MGT interface:
      Use the following CLI command: set deviceconfig system ip-address <server-IP> netmask <netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>.
      Descriptions of the variables:
      • <server-IP> is the IP address you want to assign to the management interface of the server
      • <netmask> is the subnet mask
      • <gateway-IP> is the IP address of the network gateway, and <DNS-IP> is the IP address of the primary DNS server
      • <DNS-IP> is the IP address of the DNS server
    4. Configure network access settings, including the IP address for the Eth1 interface.
      Use the following command: set deviceconfig system eth1 ip-address <server-IP> netmask <netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP>.
    5. Save your changes to the PAN-DB server.
      Use the commit command.
  4. Switch to PAN-DB private cloud mode.
    You can switch from Panorama mode to PAN-DB mode and back; and from Panorama mode to Log Collector mode and back. Switching directly from PAN-DB mode to Log Collector mode or vice versa is not supported. Switching operational modes triggers a data reset. Except for the Management Access settings, all existing configurations and logs are deleted upon restart.
    1. To switch to PAN-DB mode, use the request system system-mode pan-url-db command.
    2. To verify the mode switch, use the show system info command.
      If you've successfully switched to PAN-DB private cloud mode, the system-mode field displays PAN-URL-DB.
      admin@M-600> show system info 
      
      hostname: M-600 
      ip-address: 1.2.3.4
      public-ip-address:
      netmask: 255.255.255.0
      default-gateway: 1.2.3.1
      ipv6-address: unknown 
      ipv6-link-local-address: fe80:00/64
      ipv6-default-gateway: 
      mac-address: 00:56:90:e7:f6:8e
      time: Mon Apr 27 13:43:59 2015
      uptime: 10 days, 1:51:28
      family: m 
      model: M-600 
      serial: 0073010000xxx
      sw-version: 7.0.0
      app-version: 492-2638
      app-release-date: 2015/03/19  20:05:33
      av-version: 0 
      av-release-date: unknown
      wf-private-version: 0
      wf-private-release-date: unknown
      wildfire-version: 0
      wildfire-release-date:
      logdb-version: 7.0.9
      platform-family: m
      pan-url-db: 20150417-220
      system-mode: Pan-URL-DB
      operational-mode: normal
      licensed-device-capacity: 0
      device-certificate-status: None
    3. To check the version of the cloud database on the appliance, use the show pan-url-cloud-status command.
      The pan-url-db field in the system-info display contains the same information.
  5. Install content and database updates.
    The appliance only stores the version of the content that is currently running and one earlier version.
    Pick one of the following installation methods:
    • If the PAN-DB server has direct Internet access, use the following commands:
      • To check whether a new version is published: request pan-url-db upgrade check
      • To check the version that is currently installed on your server: request pan-url-db upgrade info.
      • To download the latest version: request pan-url-db upgrade download latest.
        To install the latest version: request pan-url-db upgrade install <version latest | file>.
      • To schedule the appliance to automatically check for updates: set deviceconfig system update-schedule pan-url-db recurring weekly action download-and-install day-of-week <day of week> at <hr:min>.
    • If the PAN-DB server is offline, access Palo Alto Networks customer support website to download and save content updates to an SCP server on your network. You can then import and install the updates using the following commands:
      • scp import pan-url-db remote-port <port-number> from username@host:path
      • request pan-url-db upgrade install file <filename>
  6. Set up administrative access to the PAN-DB private cloud.
    The appliance has a default admin account. Any additional administrative users that you create can either be superusers (with full access) or superusers with read-only access.
    PAN-DB private cloud does not support the use of RADIUS VSAs. If the VSAs used on the firewall or Panorama are used for enabling access to the PAN-DB private cloud, an authentication failure will occur.
    • To set up a local administrative user on the PAN-DB server, use the following commands:
      1. configure
      2. set mgt-config users <username> permissions role-based <superreader | superuser> yes
      3. set mgt-config users <username> password
      4. Enter password:xxxxx
      5. Confirm password:xxxxx
      6. commit
    • To set up an administrative user with RADIUS authentication, use the following commands:
      1. To create a RADIUS server profile: set shared server-profile radius <server_profile_name> server <server_name> ip-address <ip_address> port <port_no> secret <shared_password>.
      2. To create an Authentication profile: set shared authentication-profile <auth_profile_name> user-domain <domain_name_for_authentication> allow-list <all> method radius server-profile <server_profile_name>.
      3. To attach the Authentication profile to a user: set mgt-config users <username> authentication-profile <auth_profile_name>.
      4. To commit your changes: commit.
    • To view the list of users, use the show mgt-config users command.