Configure the PAN-DB Private Cloud

  1. Rack mount the M-500 appliance.
    Refer to the M-500 Hardware Reference Guide for instructions.
  2. Register the M-500 appliance.
    For instructions on registering the M-500 appliance, see Register the Firewall.
  3. Perform Initial Configuration of the M-500 Appliance.
    The M-500 appliance in PAN-DB mode uses two ports- MGT (Eth0) and Eth1; Eth2 is not used in PAN-DB mode. The management port is used for administrative access to the appliance and for obtaining the latest content updates from the PAN-DB public cloud. For communication between the appliance (PAN-DB server) and the firewalls on the network, you can use the MGT port or Eth1.
    1. Connect to the M-500 appliance in one of the following ways:
      • Attach a serial cable from a computer to the Console port on the M-500 appliance and connect using a terminal emulation software (9600-8-N-1).
      • Attach an RJ-45 Ethernet cable from a computer to the MGT port on the M-500 appliance. From a browser, go to https://192.168.1.1. Enabling access to this URL might require changing the IP address on the computer to an address in the 192.168.1.0 network (for example, 192.168.1.2).
    2. When prompted, log in to the appliance. Log in using the default username and password (admin/admin). The appliance will begin to initialize.
    3. Configure network access settings including the IP address for the MGT interface:
      set deviceconfig system ip-address
      <server-IP>
      netmask
      <netmask>
      default-gateway
      <gateway-IP>
      dns-setting servers primary
      <DNS-IP>
      where
      <server-IP>
      is the IP address you want to assign to the management interface of the server,
      <netmask>
      is the subnet mask,
      <gateway-IP>
      is the IP address of the network gateway, and
      <DNS-IP>
      is the IP address of the primary DNS server.
    4. Configure network access settings including the IP address for the Eth1 interface:
      set deviceconfig system eth1 ip-address
      <server-IP>
      netmask
      <netmask>
      default-gateway
      <gateway-IP>
      dns-setting servers primary
      <DNS-IP>
      where
      <server-IP>
      is the IP address you want to assign to the data interface of the server,
      <netmask>
      is the subnet mask,
      <gateway-IP>
      is the IP address of the network gateway, and
      <DNS-IP>
      is the IP address of the DNS server.
    5. Save your changes to the PAN-DB server.
      commit
  4. Switch to PAN-DB private cloud mode.
    1. To switch to PAN-DB mode, use the CLI command:
      request system system-mode pan-url-db
      You can switch from Panorama mode to PAN-DB mode and back; and from Panorama mode to Log Collector mode and back. Switching directly from PAN-DB mode to Log Collector mode or vice versa is not supported. When switching operational mode, a data reset is triggered. With the exception of management access settings, all existing configuration and logs will be deleted on restart.
    2. Use the following command to verify that the mode is changed:
      show pan-url-cloud-status
      hostname: M-500 ip-address: 1.2.3.4 netmask: 255.255.255.0 default-gateway: 1.2.3.1 ipv6-address: unknown ipv6-link-local-address: fe80:00/64 ipv6-default-gateway: mac-address: 00:56:90:e7:f6:8e time: Mon Apr 27 13:43:59 2015 uptime: 10 days, 1:51:28 family: m model: M-500 serial: 0073010000xxx sw-version: 7.0.0 app-version: 492-2638 app-release-date: 2015/03/19 20:05:33 av-version: 0 av-release-date: unknown wf-private-version: 0 wf-private-release-date: unknown logdb-version: 7.0.9 platform-family: m pan-url-db: 20150417-220
      system-mode: Pan-URL-DB
      operational-mode: normal
    3. Use the following command to check the version of the cloud database on the appliance:
      show pan-url-cloud-status
      Cloud status: Up URL database version: 20150417-220
  5. Install content and database updates.
    The appliance only stores the currently running version of the content and one earlier version.
    Pick one of the following methods of installing the content and database updates:
    • If the PAN-DB server has direct Internet access use the following commands:
      1. To check whether a new version is published use:
        request pan-url-db upgrade check
      2. To check the version that is currently installed on your server use:
        request pan-url-db upgrade info
      3. To download and install the latest version:
        • request pan-url-db upgrade download latest
        • request pan-url-db upgrade install
          <version latest
          |
          file>
      4. To schedule the M-500 appliance to automatically check for updates:
        set deviceconfig system update-schedule pan-url-db recurring weekly action download-and-install day-of-week
        <day of week>
        at
        <hr:min>
    • If the PAN-DB server is offline, access the Palo Alto Networks Customer Support web site to download and save the content updates to an SCP server on your network. You can then import and install the updates using the following commands:
      • scp import pan-url-db remote-port
        <port-number>
        from username@host:path
      • request pan-url-db upgrade install file
        <filename>
  6. Set up administrative access to the PAN-DB private cloud.
    The appliance has a default
    admin
    account. Any additional administrative users that you create can either be superusers (with full access) or superusers with read-only access.
    PAN-DB private cloud does not support the use of RADIUS VSAs. If the VSAs used on the firewall or Panorama are used for enabling access to the PAN-DB private cloud, an authentication failure will occur.
    • To set up a local administrative user on the PAN-DB server:
      1. configure
      2. set mgt-config users
        <username>
        permissions  role-based <superreader | superuser> yes
      3. set mgt-config users
        <username>
        password
      4. Enter password:xxxxx
      5. Confirm password:xxxxx
      6. commit
    • To set up an administrative user with RADIUS authentication:
      1. Create RADIUS server profile.
        set shared server-profile radius
        <server_profile_name>
        server
        <server_name>
        ip-address
        <ip_address>
        port
        <port_no>
        secret
        <shared_password>
      2. Create authentication-profile.
        set shared authentication-profile
        <auth_profile_name>
        user-domain
        <domain_name_for_authentication>
        allow-list <all> method radius server-profile
        <server_profile_name>
      3. Attach the authentication-profile to the user.
        set mgt-config users
        <username>
        authentication-profile
        <auth_profile_name>
      4. Commit the changes.
        commit
    • To view the list of users:.
      show mgt-config users
      users { admin { phash fnRL/G5lXVMug; permissions { role-based { superuser yes; } } } admin_user_2 { permissions { role-based { superreader yes; } } authentication-profile RADIUS; } }

Related Documentation