End-of-Life (EoL)
Migrate Panorama and HA Firewalls from BrightCloud to PAN-DB
Perform this procedure to migrate the URL
filtering vendor from BrightCloud to PAN-DB on Panorama and firewalls
when the firewalls are deployed in a high availability (HA) configuration.
In this example, the active (or active-primary) firewall is named
fw1 and the passive (or active-secondary) firewall is named fw2.
The migration automatically maps BrightCloud URL categories to PAN-DB URL categories.
- Determine which firewalls require new PAN-DB URL filtering licenses.
- Log in to Panorama and select.PanoramaDevice DeploymentLicenses
- Check the URL column to determine which firewalls have PAN-DB licenses and whether the licenses are valid or expired.A firewall can have valid licenses for both BrightCloud and PAN-DB, but only one license can be active.If you’re not sure whether a PAN-DB URL filtering license is active, access the firewall web interface, select, and verify that theDeviceLicensesActivefield displaysYesin the PAN-DB URL Filtering section.
- Purchase a new license for each firewall that does not have a valid PAN-DB license.In HA deployments, each firewall peer needs a distinct PAN-DB license and authorization code. Palo Alto Networks sends an email containing activation codes for the licenses you purchase. If you can’t find this email, contact Customer Support before proceeding.
- Change the URL filtering vendor to PAN-DB on Panorama.Access the Panorama web interface and perform one of the following tasks:
- Configure the TCP session settings on both firewall HA peers to ensure sessions that are not yet synchronized will fail over when you suspend a peer.Log in to the CLI of each firewall and run the following command:>set session tcp-reject-non-syn no
- Migrate the URL filtering vendor to PAN-DB on each firewall HA peer.Complete this task on fw2 (passive or active-secondary peer) before fw1 (active or active-primary peer).
- Access the firewall web interface, select, andDeviceHigh AvailabilityOperational CommandsSuspend local device.Performing this step on fw1 triggers failover to fw2.
- Select.DeviceLicenses
- In the License Management section, selectActivate feature using authorization code, enter theAuthorization Codeand clickOK.Activating the PAN-DB license automatically deactivates the BrightCloud license.
- In the PAN-DB URL Filtering section,Downloadthe seed file, select your region, and clickOK.
- Commit and push your configuration changes:
- Access the Panorama web interface.
- SelectandCommitCommit and PushEdit Selectionsin the Push Scope
- SelectDevice Groups, select the firewall, and clickOK.
- Commit and Pushyour changes to the Panorama configuration and to device groups.
- Access the firewall web interface, select, andDeviceHigh AvailabilityOperational CommandsMake local device functional.When you perform this step on fw1 with preemption enabled on both firewalls, fw1 automatically reverts to active (or active-primary) status and fw2 reverts to passive (or active-secondary) status.
- Revert both firewall HA peers to the original TCP session settings.Run the following command at the CLI of each firewall:>set session tcp-reject-non-syn yes
Recommended For You
Recommended Videos
Recommended videos not found.