Migrate Panorama and HA Firewalls from BrightCloud to PAN-DB

Perform this procedure to migrate the URL filtering vendor from BrightCloud to PAN-DB on Panorama and firewalls when the firewalls are deployed in a high availability (HA) configuration. In this example, the active (or active-primary) firewall is named fw1 and the passive (or active-secondary) firewall is named fw2. The migration automatically maps BrightCloud URL categories to PAN-DB URL categories.
  1. Determine which firewalls require new PAN-DB URL filtering licenses.
    1. Log in to Panorama and select PanoramaDevice DeploymentLicenses.
    2. Check the URL column to determine which firewalls have PAN-DB licenses and whether the licenses are valid or expired.
      A firewall can have valid licenses for both BrightCloud and PAN-DB, but only one license can be active.
      If you’re not sure whether a PAN-DB URL filtering license is active, access the firewall web interface, select DeviceLicenses, and verify that the Active field displays Yes in the PAN-DB URL Filtering section.
    3. Purchase a new license for each firewall that does not have a valid PAN-DB license.
      In HA deployments, each firewall peer needs a distinct PAN-DB license and authorization code. Palo Alto Networks sends an email containing activation codes for the licenses you purchase. If you can’t find this email, contact Customer Support before proceeding.
  2. Change the URL filtering vendor to PAN-DB on Panorama.
    Access the Panorama web interface and perform one of the following tasks:
  3. Configure the TCP session settings on both firewall HA peers to ensure sessions that are not yet synchronized will fail over when you suspend a peer.
    Log in to the CLI of each firewall and run the following command:
    > set session tcp-reject-non-syn no
  4. Migrate the URL filtering vendor to PAN-DB on each firewall HA peer.
    Complete this task on fw2 (passive or active-secondary peer) before fw1 (active or active-primary peer).
    1. Access the firewall web interface, select DeviceHigh AvailabilityOperational Commands, and Suspend local device.
      Performing this step on fw1 triggers failover to fw2.
    2. Select DeviceLicenses.
    3. In the License Management section, select Activate feature using authorization code, enter the Authorization Code and click OK.
      Activating the PAN-DB license automatically deactivates the BrightCloud license.
    4. In the PAN-DB URL Filtering section, Download the seed file, select your region, and click OK.
    5. Commit and push your configuration changes:
      1. Access the Panorama web interface.
      2. Select CommitCommit and Push and Edit Selections in the Push Scope
      3. Select Device Groups, select the firewall, and click OK.
      4. Commit and Push your changes to the Panorama configuration and to device groups.
    6. Access the firewall web interface, select DeviceHigh AvailabilityOperational Commands, and Make local device functional.
      When you perform this step on fw1 with preemption enabled on both firewalls, fw1 automatically reverts to active (or active-primary) status and fw2 reverts to passive (or active-secondary) status.
  5. Revert both firewall HA peers to the original TCP session settings.
    Run the following command at the CLI of each firewall:
    > set session tcp-reject-non-syn yes

Related Documentation