Migrate Panorama and HA Firewalls from BrightCloud to PAN-DB

Determine which firewalls require new PAN-DB URL filtering licenses.

Log in to Panorama and select
Panorama
Device Deployment
Licenses
.
Check the URL column to determine which firewalls have PAN-DB licenses and whether the licenses are valid or expired.
A firewall can have valid licenses for both BrightCloud and PAN-DB, but only one license can be active.
If you’re not sure whether a PAN-DB URL filtering license is active, access the firewall web interface, select
Device
Licenses
, and verify that the
Active
field displays
Yes
in the PAN-DB URL Filtering section.
Purchase a new license for each firewall that does not have a valid PAN-DB license.
In HA deployments, each firewall peer needs a distinct PAN-DB license and authorization code. Palo Alto Networks sends an email containing activation codes for the licenses you purchase. If you can’t find this email, contact Customer Support before proceeding.

Change the URL filtering vendor to PAN-DB on Panorama.

Access the Panorama web interface and perform one of the following tasks:

Change the URL Filtering Vendor on HA Panorama
Change the URL Filtering Vendor on non-HA Panorama

Configure the TCP session settings on both firewall HA peers to ensure sessions that are not yet synchronized will fail over when you suspend a peer.

Log in to the CLI of each firewall and run the following command:

> 
set session tcp-reject-non-syn no 

Migrate the URL filtering vendor to PAN-DB on each firewall HA peer.

Complete this task on fw2 (passive or active-secondary peer) before fw1 (active or active-primary peer).

Access the firewall web interface, select
Device
High Availability
Operational Commands
, and
Suspend local device
.
Performing this step on fw1 triggers failover to fw2.
Select
Device
Licenses
.
In the License Management section, select
Activate feature using authorization code
, enter the
Authorization Code
and click
OK
.
Activating the PAN-DB license automatically deactivates the BrightCloud license.
In the PAN-DB URL Filtering section,
Download
the seed file, select your region, and click
OK
.
Commit and push your configuration changes:
Access the Panorama web interface.
Select
Commit
Commit and Push
and
Edit Selections
in the Push Scope
Select
Device Groups
, select the firewall, and click
OK
.
Commit and Push
your changes to the Panorama configuration and to device groups.
Access the firewall web interface, select
Device
High Availability
Operational Commands
, and
Make local device functional
.
When you perform this step on fw1 with preemption enabled on both firewalls, fw1 automatically reverts to active (or active-primary) status and fw2 reverts to passive (or active-secondary) status.

Revert both firewall HA peers to the original TCP session settings.

Run the following command at the CLI of each firewall:

> 
set session tcp-reject-non-syn yes