Configure the Firewalls to Access the PAN-DB Private Cloud

When using the PAN-DB public cloud, each firewall accesses the PAN-DB servers in the AWS cloud to download the list of eligible servers to which it can connect for URL lookups. With the PAN-DB private cloud, you must configure the firewalls with a (static) list of your PAN-DB private cloud servers that will be used for URL lookups. The list can contain up to 20 entries; IPv4 addresses, IPv6 addresses, and FQDNs are supported. Each entry on the list— IP address or FQDN—must be assigned to the management port and/or eth1 of the PAN-DB server.
  1. Pick one of the following options based on the PAN-OS version on the firewall.
    • For firewalls running PAN-OS 7.0, access the PAN-OS CLI or the web interface on the firewall.
      Use the following CLI command to configure access to the private cloud:
      set deviceconfig setting pan-url-db cloud-static-list
      <IP addresses> enable
      Or, in the web interface for each firewall, select
      Device
      Setup
      Content-ID
      , edit the URL Filtering section and enter the
      PAN-DB Server
      IP address(es) or FQDN(s). The list must be comma separated.
    • For firewalls running PAN-OS 5.0, 6.0, or 6.1, use the following CLI command to configure access to the private cloud:
      debug device-server pan-url-db cloud-static-list-enable
      <IP addresses>
      enable
      To delete the entries for the private PAN-DB servers, and allow the firewalls to connect to the PAN-DB public cloud, use the command:
      set deviceconfig setting pan-url-db cloud-static-list
      <IP addresses>
      disable
      When you delete the list of private PAN-DB servers, a re-election process is triggered on the firewall. The firewall first checks for the list of PAN-DB private cloud servers and when it cannot find one, the firewall accesses the PAN-DB servers in the AWS cloud to download the list of eligible servers to which it can connect.
  2. Commit
    your changes.
  3. To verify that the change is effective, use the following CLI command on the firewall:
    show url-cloud-status
    Cloud status: Up URL database version: 20150417-220

Related Documentation