Set Up the PAN-DB Private Cloud
To deploy one or more M-500 appliances as a PAN-DB private cloud within your network or data center, you must complete the following tasks:
Configure the PAN-DB Private Cloud
Set up the PAN-DB Private Cloud
Rack mount the M-500 appliance. Refer to the M-500 Hardware Reference Guide for instructions.
Register the M-500 appliance. For instructions on registering the M-500 appliance, see Register the Firewall.
Perform Initial Configuration of the M-500 Appliance. The M-500 appliance in PAN-DB mode uses two ports- MGT (Eth0) and Eth1; Eth2 is not used in PAN-DB mode. The management port is used for administrative access to the appliance and for obtaining the latest content updates from the PAN-DB public cloud. For communication between the appliance (PAN-DB server) and the firewalls on the network, you can use the MGT port or Eth1. Connect to the M-500 appliance in one of the following ways: Attach a serial cable from a computer to the Console port on the M-500 appliance and connect using a terminal emulation software (9600-8-N-1). Attach an RJ-45 Ethernet cable from a computer to the MGT port on the M-500 appliance. From a browser, go to https://192.168.1.1.Enabling access to this URL might require changing the IP address on the computer to an address in the 192.168.1.0 network (for example, 192.168.1.2). When prompted, log in to the appliance. Log in using the default username and password (admin/admin). The appliance will begin to initialize. Configure an network access settings including the IP address for the MGT interface: set deviceconfig system ip-address <server-IP> netmask <netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP> where <server-IP> is the IP address you want to assign to the management interface of the server, <netmask> is the subnet mask, <gateway-IP> is the IP address of the network gateway, and <DNS-IP> is the IP address of the primary DNS server. Configure an network access settings including the IP address for the Eth1 interface: set deviceconfig system eth1 ip-address <server-IP> netmask <netmask> default-gateway <gateway-IP> dns-setting servers primary <DNS-IP> where <server-IP> is the IP address you want to assign to the data interface of the server, <netmask> is the subnet mask, <gateway-IP> is the IP address of the network gateway, and <DNS-IP> is the IP address of the DNS server. Save your changes to the PAN-DB server. commit
Switch to PAN-DB private cloud mode. To switch to PAN-DB mode, use the CLI command: request system system-mode pan-url-db You can switch from Panorama mode to PAN-DB mode and back; and from Panorama mode to Log Collector mode and back. Switching directly from PAN-DB mode to Log Collector mode or vice versa is not supported. When switching operational mode, a data reset is triggered. With the exception of management access settings, all existing configuration and logs will be deleted on restart. Use the following command to verify that the mode is changed: show pan-url-cloud-status hostname: M-500 ip-address: 1.2.3.4 netmask: 255.255.255.0 default-gateway: 1.2.3.1 ipv6-address: unknown ipv6-link-local-address: fe80:00/64 ipv6-default-gateway: mac-address: 00:56:90:e7:f6:8e time: Mon Apr 27 13:43:59 2015 uptime: 10 days, 1:51:28 family: m model: M-500 serial: 0073010000xxx sw-version: 7.0.0 app-version: 492-2638 app-release-date: 2015/03/19 20:05:33 av-version: 0 av-release-date: unknown wf-private-version: 0 wf-private-release-date: unknown logdb-version: 7.0.9 platform-family: m pan-url-db: 20150417-220 system-mode: Pan-URL-DB operational-mode: normal Use the following command to check the version of the cloud database on the appliance: show pan-url-cloud-status Cloud status: Up URL database version: 20150417-220
Install content and database updates. The appliance only stores the currently running version of the content and one earlier version. Pick one of the following methods of installing the content and database updates: If the PAN-DB server has direct Internet access use the following commands: To check whether a new version is published use: request pan-url-db upgrade check To check the version that is currently installed on your server use: request pan-url-db upgrade info To download and install the latest version: request pan-url-db upgrade download latest request pan-url-db upgrade install <version latest | file> To schedule the M-500 appliance to automatically check for updates: set deviceconfig system update-schedule pan-url-db recurring weekly action download-and-install day-of-week <day of week> at <hr:min> If the PAN-DB server is offline, access the Palo Alto Networks Customer Support web site to download and save the content updates to an SCP server on your network. You can then import and install the updates using the following commands: scp import pan-url-db remote-port <port-number> from username@host:path request pan-url-db upgrade install file <filename>
Set up administrative access to the PAN-DB private cloud. The appliance has a default admin account. Any additional administrative users that you create can either be superusers (with full access) or superusers with read-only access. PAN-DB private cloud does not support the use of RADIUS VSAs. If the VSAs used on the firewall or Panorama are used for enabling access to the PAN-DB private cloud, an authentication failure will occur. To set up a local administrative user on the PAN-DB server: configure set mgt-config users <username> permissions role-based <superreader | superuser> yes set mgt-config users <username> password Enter password:xxxxx Confirm password:xxxxx commit To set up an administrative user with RADIUS authentication: Create RADIUS server profile. set shared server-profile radius <server_profile_name> server <server_name> ip-address <ip_address> port <port_no> secret <shared_password> Create authentication-profile. set shared authentication-profile <auth_profile_name> user-domain <domain_name_for_authentication> allow-list <all> method radius server-profile <server_profile_name> Attach the authentication-profile to the user. set mgt-config users <username> authentication-profile <auth_profile_name> Commit the changes. commit To view the list of users:. show mgt-config users users { admin { phash fnRL/G5lXVMug; permissions { role-based { superuser yes; } } } admin_user_2 { permissions { role-based { superreader yes; } } authentication-profile RADIUS; } }
Configure the Firewalls to Access the PAN-DB Private Cloud.
Configure the Firewalls to Access the PAN-DB Private Cloud
When using the PAN-DB public cloud, each firewall accesses the PAN-DB servers in the AWS cloud to download the list of eligible servers to which it can connect for URL lookups. With the PAN-DB private cloud, you must configure the firewalls with a (static) list of your PAN-DB private cloud servers that will be used for URL lookups. The list can contain up to 20 entries; IPv4 addresses, IPv6 addresses, and FQDNs are supported. Each entry on the list— IP address or FQDN—must be assigned to the management port and/or eth1 of the PAN-DB server.
Configure the Firewalls to Access the PAN-DB Private Cloud
Pick one of the following options based on the PAN-OS version on the firewall. For firewalls running PAN-OS 7.0, access the PAN-OS CLI or the web interface on the firewall. Use the following CLI command to configure access to the private cloud: set deviceconfig setting pan-url-db cloud-static-list <IP addresses> enable Or, in the web interface for each firewall, select Device > Setup >Content-ID, edit the URL Filtering section and enter the PAN-DB Server IP address(es) or FQDN(s). The list must be comma separated. For firewalls running PAN-OS 5.0, 6.0, or 6.1, use the following CLI command to configure access to the private cloud: debug device-server pan-url-db cloud-static-list-enable <IP addresses> enable To delete the entries for the private PAN-DB servers, and allow the firewalls to connect to the PAN-DB public cloud, use the command: set deviceconfig setting pan-url-db cloud-static-list <IP addresses> disable When you delete the list of private PAN-DB servers, a re-election process is triggered on the firewall. The firewall first checks for the list of PAN-DB private cloud servers and when it cannot find one, the firewall accesses the PAN-DB servers in the AWS cloud to download the list of eligible servers to which it can connect.
Commit your changes.
To verify that the change is effective, use the following CLI command on the firewall: show url-cloud-status Cloud status: Up URL database version: 20150417-220

Related Documentation