The PAN-DB private cloud is an on-premise solution that is suitable for organizations that prohibit or restrict the use of the PAN-DB public cloud service. With this on-premise solution, you can deploy one or more M-500 appliances as PAN-DB servers within your network or data center. The firewalls query the PAN-DB private cloud to perform URL lookups, instead of accessing the PAN-DB public cloud.
The process for performing URL lookups, in both the private and the public cloud is the same for the firewalls on the network. By default, the firewall is configured to access the public PAN-DB cloud. If you deploy a PAN-DB private cloud, you must configure the firewalls with a list of IP addresses or FQDNs to access the server(s) in the private cloud.
Firewalls running PAN-OS 5.0 or later versions can communicate with the PAN-DB private cloud.
When you Set Up the PAN-DB Private Cloud, you can either configure the M-500 appliance(s) to have direct internet access or keep it completely offline. Because the M-500 appliance requires database and content updates to perform URL lookups, if the appliance does not have an active internet connection, you must manually download the updates to a server on your network and then, import the updates using SCP into each M-500 appliance in the PAN-DB private cloud. In addition, the appliances must be able to obtain the seed database and any other regular or critical content updates for the firewalls that it services.
To authenticate the firewalls that connect to the PAN-DB private cloud, a set of default server certificates are packaged with the appliance; you cannot import or use another server certificate for authenticating the firewalls. If you change the hostname on the M-500 appliance, the appliance automatically generates a new set of certificates to authenticate the firewalls.
M-500 Appliance for PAN-DB Private Cloud
To deploy a PAN-DB private cloud, you need one or more M-500 appliances. The M-500 appliance ships in Panorama mode, and to be deployed as PAN-DB private cloud you must set it up to operate in PAN-URL-DB mode. In the PAN-URL-DB mode, the appliance provides URL categorization services for enterprises that do not want to use the PAN-DB public cloud.
The M-500 appliance when deployed as a PAN-DB private cloud uses two ports- MGT (Eth0) and Eth1; Eth2 is not available for use. The management port is used for administrative access to the appliance and for obtaining the latest content updates from the PAN-DB public cloud or from a server on your network. For communication between the PAN-DB private cloud and the firewalls on the network, you can use the MGT port or Eth1.
The M-100 appliance cannot be deployed as a PAN-DB private cloud.
The M-500 appliance in PAN-URL-DB mode:
Does not have a web interface, it only supports a command-line interface (CLI). Cannot be managed by Panorama. Cannot be deployed in a high availability pair. Does not require a URL Filtering license. The firewalls, must have a valid PAN-DB URL Filtering license to connect with and query the PAN-DB private cloud. Ships with a set of default server certificates that are used to authenticate the firewalls that connect to the PAN-DB private cloud. You cannot import or use another server certificate for authenticating the firewalls. If you change the hostname on the M-500 appliance, the appliance automatically generates a new set of certificates to authenticate the firewalls that it services. Can be reset to Panorama mode only. If you want to deploy the appliance as a dedicated Log Collector, switch to Panorama mode and then set it in log collector mode.
Differences Between the PAN-DB Public Cloud and PAN-DB Private Cloud
Differences PAN-DB Public Cloud PAN-DB Private Cloud
Content and Database Updates Content (regular and critical) updates and full database updates are published multiple times during the day. The firewall checks for critical updates whenever it queries the cloud servers for URL lookups. Content updates and full URL database updates are available once a day during the work week.
URL Categorization Requests Submit URL categorization change requests using the following options: Palo Alto Networks Test A Site website. URL filtering profile setup page on the firewall. URL filtering log on the firewall. Submit URL categorization change requests only using the Palo Alto Networks Test A Site website.
Unresolved URL Queries If the firewall cannot resolve a URL query, the request is sent to the servers in the public cloud. If the firewall cannot resolve a query, the request is sent to the M-500 appliance(s) in the PAN-DB private cloud. If there is no match for the URL, the PAN-DB private cloud sends a category unknown response to the firewall; the request is not sent to the public cloud unless you have configured the M-500 appliance to access the PAN-DB public cloud. If the M-500 appliance(s) that constitute your PAN-DB private cloud is configured to be completely offline, it does not send any data or analytics to the public cloud.