Migrate Panorama and HA Firewalls from BrightCloud to PAN-DB

Perform this procedure to migrate the URL filtering vendor from BrightCloud to PAN-DB on Panorama and firewalls when the firewalls are deployed in a high availability (HA) configuration. In this example, the active (or active-primary) firewall is named fw1 and the passive (or active-secondary) firewall is named fw2. The migration automatically maps BrightCloud URL categories to PAN-DB URL categories.
  1. Determine which firewalls require new PAN-DB URL filtering licenses.
    1. Log in to Panorama and select
      Panorama
      Device Deployment
      Licenses
      .
    2. Check the URL column to determine which firewalls have PAN-DB licenses and whether the licenses are valid or expired.
      A firewall can have valid licenses for both BrightCloud and PAN-DB, but only one license can be active.
      If you’re not sure whether a PAN-DB URL filtering license is active, access the firewall web interface, select
      Device
      Licenses
      , and verify that the
      Active
      field displays
      Yes
      in the PAN-DB URL Filtering section.
    3. Purchase a new license for each firewall that does not have a valid PAN-DB license.
      In HA deployments, each firewall peer needs a distinct PAN-DB license and authorization code. Palo Alto Networks sends an email containing activation codes for the licenses you purchase. If you can’t find this email, contact Customer Support before proceeding.
  2. Change the URL filtering vendor to PAN-DB on Panorama.
    Access the Panorama web interface and perform one of the following tasks:
  3. Configure the TCP session settings on both firewall HA peers to ensure sessions that are not yet synchronized will fail over when you suspend a peer.
    Log in to the CLI of each firewall and run the following command:
    >
    set session tcp-reject-non-syn no
  4. Migrate the URL filtering vendor to PAN-DB on each firewall HA peer.
    Complete this task on fw2 (passive or active-secondary peer) before fw1 (active or active-primary peer).
    1. Access the firewall web interface, select
      Device
      High Availability
      Operational Commands
      , and
      Suspend local device
      .
      Performing this step on fw1 triggers failover to fw2.
    2. Select
      Device
      Licenses
      .
    3. In the License Management section, select
      Activate feature using authorization code
      , enter the
      Authorization Code
      and click
      OK
      .
      Activating the PAN-DB license automatically deactivates the BrightCloud license.
    4. In the PAN-DB URL Filtering section,
      Download
      the seed file, select your region, and click
      OK
      .
    5. Commit and push your configuration changes:
      1. Access the Panorama web interface.
      2. Select
        Commit
        Commit and Push
        and
        Edit Selections
        in the Push Scope
      3. Select
        Device Groups
        , select the firewall, and click
        OK
        .
      4. Commit and Push
        your changes to the Panorama configuration and to device groups.
    6. Access the firewall web interface, select
      Device
      High Availability
      Operational Commands
      , and
      Make local device functional
      .
      When you perform this step on fw1 with preemption enabled on both firewalls, fw1 automatically reverts to active (or active-primary) status and fw2 reverts to passive (or active-secondary) status.
  5. Revert both firewall HA peers to the original TCP session settings.
    Run the following command at the CLI of each firewall:
    >
    set session tcp-reject-non-syn yes

Related Documentation