Migrate Panorama and HA Firewalls from BrightCloud to PAN-DB
Perform this procedure to migrate the URL filtering vendor from BrightCloud to PAN-DB on Panorama and firewalls when the firewalls are deployed in a high availability (HA) configuration. In this example, the active (or active-primary) firewall is named fw1 and the passive (or active-secondary) firewall is named fw2. The migration automatically maps BrightCloud URL categories to PAN-DB URL categories.
- Determine which firewalls require new PAN-DB URL filtering licenses.
- Log in to Panorama and select.PanoramaDevice DeploymentLicenses
- Check the URL column to determine which firewalls have PAN-DB licenses and whether the licenses are valid or expired.A firewall can have valid licenses for both BrightCloud and PAN-DB, but only one license can be active.If you’re not sure whether a PAN-DB URL filtering license is active, access the firewall web interface, select, and verify that theDeviceLicensesActivefield displaysYesin the PAN-DB URL Filtering section.
- Purchase a new license for each firewall that does not have a valid PAN-DB license.In HA deployments, each firewall peer needs a distinct PAN-DB license and authorization code. Palo Alto Networks sends an email containing activation codes for the licenses you purchase. If you can’t find this email, contact Customer Support before proceeding.
- Change the URL filtering vendor to PAN-DB on Panorama.Access the Panorama web interface and perform one of the following tasks:
- Configure the TCP session settings on both firewall HA peers to ensure sessions that are not yet synchronized will fail over when you suspend a peer.Log in to the CLI of each firewall and run the following command:>set session tcp-reject-non-syn no
- Migrate the URL filtering vendor to PAN-DB on each firewall HA peer.Complete this task on fw2 (passive or active-secondary peer) before fw1 (active or active-primary peer).
- Access the firewall web interface, select, andDeviceHigh AvailabilityOperational CommandsSuspend local device.Performing this step on fw1 triggers failover to fw2.
- In the License Management section, selectActivate feature using authorization code, enter theAuthorization Codeand clickOK.Activating the PAN-DB license automatically deactivates the BrightCloud license.
- In the PAN-DB URL Filtering section,Downloadthe seed file, select your region, and clickOK.
- Commit and push your configuration changes:
- Access the Panorama web interface.
- SelectandCommitCommit and PushEdit Selectionsin the Push Scope
- SelectDevice Groups, select the firewall, and clickOK.
- Commit and Pushyour changes to the Panorama configuration and to device groups.
- Access the firewall web interface, select, andDeviceHigh AvailabilityOperational CommandsMake local device functional.
- Revert both firewall HA peers to the original TCP session settings.Run the following command at the CLI of each firewall:>set session tcp-reject-non-syn yes