M-500 Appliance for PAN-DB Private Cloud

To deploy a PAN-DB private cloud, you need one or more M-500 appliances. The M-500 appliance ships in Panorama mode, and to be deployed as PAN-DB private cloud you must set it up to operate in PAN-URL-DB mode. In the PAN-URL-DB mode, the appliance provides URL categorization services for enterprises that do not want to use the PAN-DB public cloud.
The M-500 appliance when deployed as a PAN-DB private cloud uses two ports- MGT (Eth0) and Eth1; Eth2 is not available for use. The management port is used for administrative access to the appliance and for obtaining the latest content updates from the PAN-DB public cloud or from a server on your network. For communication between the PAN-DB private cloud and the firewalls on the network, you can use the MGT port or Eth1.
The M-100 appliance cannot be deployed as a PAN-DB private cloud.
The M-500 appliance in PAN-URL-DB mode:
  • Does not have a web interface, it only supports a command-line interface (CLI).
  • Cannot be managed by Panorama.
  • Cannot be deployed in a high availability pair.
  • Does not require a URL Filtering license. The firewalls, must have a valid PAN-DB URL Filtering license to connect with and query the PAN-DB private cloud.
  • Ships with a set of default server certificates that are used to authenticate the firewalls that connect to the PAN-DB private cloud. You cannot import or use another server certificate for authenticating the firewalls. If you change the hostname on the M-500 appliance, the appliance automatically generates a new set of certificates to authenticate the firewalls that it services.
  • Can be reset to Panorama mode only. If you want to deploy the appliance as a dedicated Log Collector, switch to Panorama mode and then set it in log collector mode.
Differences Between the PAN-DB Public Cloud and PAN-DB Private Cloud
Differences
PAN-DB Public Cloud
PAN-DB Private Cloud
Content and Database Updates
Content (regular and critical) updates and full database updates are published multiple times during the day. The PAN-DB public cloud updates the URL categories malware and phishing every five minutes. The firewall checks for critical updates whenever it queries the cloud servers for URL lookups.
Content updates and full URL database updates are available once a day during the work week.
URL Categorization Requests
Submit URL categorization change requests using the following options:
  • Palo Alto Networks Test A Site website.
  • URL filtering profile setup page on the firewall.
  • URL filtering log on the firewall.
Submit URL categorization change requests only using the Palo Alto Networks Test A Site website.
Unresolved URL Queries
If the firewall cannot resolve a URL query, the request is sent to the servers in the public cloud.
If the firewall cannot resolve a query, the request is sent to the M-500 appliance(s) in the PAN-DB private cloud. If there is no match for the URL, the PAN-DB private cloud sends a category
unknown
response to the firewall; the request is not sent to the public cloud unless you have configured the M-500 appliance to access the PAN-DB public cloud.
If the M-500 appliance(s) that constitute your PAN-DB private cloud is configured to be completely offline, it does not send any data or analytics to the public cloud.

Related Documentation