Select a URL Filtering Vendor on Panorama
URL filtering enables firewalls to monitor and control web access for your users. The policy rules that you configure to control web access (Security, QoS, Captive Portal, and Decryption rules) reference URL categories. The URL filtering vendor you select on Panorama determines which URL categories are available for referencing in the rules that you add to device groups and push to firewalls.
By default, Panorama uses PAN-DB, a URL filtering database that is tightly integrated into PAN-OS and the Palo Alto Networks threat intelligence cloud. PAN-DB provides high-performance local caching to maximize in-line performance for URL lookups. The other vendor option is BrightCloud, a third-party URL database.
Unlike firewalls, Panorama does not download the URL database and does not require a URL filtering license.
The following topics describe how to change the URL filtering vendor on Panorama or on both Panorama and managed firewalls. You can also change the URL filtering vendor on just the firewalls.
Must Panorama and Firewalls Have Matching URL Filtering Vendors?
On any single Panorama management server or firewall, only one URL filtering vendor can be active: PAN-DB or BrightCloud. When selecting a vendor for Panorama, you must consider the vendor and PAN-OS version of the managed firewalls:
PAN-OS 5.0.x and earlier versions—Panorama and the firewalls require matching URL filtering vendors. PAN-OS 6.0 or later versions—Panorama and the firewalls do not require matching URL filtering vendors. If a vendor mismatch is detected, the firewall maps the URL categories in the URL Filtering profiles and rules that it received from Panorama to URL categories that align with those of the vendor enabled on the firewall.
Therefore, for a deployment in which some firewalls run PAN-OS 6.0 or later and some firewalls run earlier PAN-OS versions, Panorama must use the same URL filtering vendor as the firewalls that run earlier PAN-OS versions. For example, if firewalls that run PAN-OS 5.0 use PAN-DB, and firewalls that run PAN-OS 7.0 use BrightCloud, Panorama must use PAN-DB.
Change the URL Filtering Vendor on HA Panorama
In a high availability (HA) deployment, each Panorama peer must be in a non-functional state when you change the URL filtering vendor. Therefore, to avoid disrupting Panorama operations, change the URL filtering vendor on the passive Panorama (Panorama2 in this example) and then trigger failover before changing the vendor on the active Panorama (Panorama1 in this example).
Change URL Filtering Vendor on HA Panorama
Change the URL filtering vendor on each Panorama HA peer. Complete this task on Panorama2 (passive peer) before Panorama1 (active peer). Log in to the Panorama web interface. Select Panorama > High Availability and Suspend local Panorama. When you perform this step on Panorama1, failover occurs and Panorama2 becomes active. Select Panorama > Setup > Management and edit the General Settings. Select the URL Filtering Database vendor: paloaltonetworks (PAN-DB) or brightcloud. Select Panorama > High Availability and Make local Panorama functional. When you perform this step on Panorama1 with preemption enabled on both HA peers, Panorama1 automatically reverts to active status and Panorama2 reverts to passive status.
Verify that the URL categories are available for referencing in policies. Select Objects > Security Profiles > URL Filtering. Click Add and verify that the Categories tab of the URL Filtering profile dialog displays the URL categories associated with the selected vendor.
Change the URL Filtering Vendor on non-HA Panorama
Perform this procedure to change the URL filtering vendor on a Panorama management server that is not deployed in a high availability (HA) configuration.
Change URL Filtering Vendor on non-HA Panorama
Change the URL filtering vendor. Select Panorama > Setup > Management and edit the General Settings. Select the URL Filtering Database vendor: paloaltonetworks (PAN-DB) or brightcloud.
Verify that the URL categories are available for referencing in policies. Select Objects > Security Profiles > URL Filtering. Click Add and verify that the Categories tab of the URL Filtering profile dialog displays the URL categories associated with the selected vendor.
Migrate Panorama and HA Firewalls from BrightCloud to PAN-DB
Perform this procedure to migrate the URL filtering vendor from BrightCloud to PAN-DB on Panorama and firewalls when the firewalls are deployed in a high availability (HA) configuration. In this example, the active (or active-primary) firewall is named fw1 and the passive (or active-secondary) firewall is named fw2. The migration automatically maps BrightCloud URL categories to PAN-DB URL categories.
Migrate Panorama and HA Firewalls from BrightCloud to PAN-DB
Determine which firewalls require new PAN-DB URL filtering licenses. Log in to Panorama and select Panorama > Device Deployment > Licenses. Check the URL column to determine which firewalls have PAN-DB licenses and whether the licenses are valid or expired. A firewall can have valid licenses for both BrightCloud and PAN-DB, but only one license can be active. If you’re not sure whether a PAN-DB URL filtering license is active, access the firewall web interface, select Device > Licenses, and verify that the Active field displays Yes in the PAN-DB URL Filtering section. Purchase a new license for each firewall that does not have a valid PAN-DB license. In HA deployments, each firewall peer needs a distinct PAN-DB license and authorization code. Palo Alto Networks sends an email containing activation codes for the licenses you purchase. If you can’t find this email, contact Customer Support before proceeding.
Change the URL filtering vendor to PAN-DB on Panorama. Access the Panorama web interface and perform one of the following tasks: Change the URL Filtering Vendor on HA Panorama Change the URL Filtering Vendor on non-HA Panorama
Configure the TCP session settings on both firewall HA peers to ensure sessions that are not yet synchronized will fail over when you suspend a peer. Log in to the CLI of each firewall and run the following command: > set session tcp-reject-non-syn no
Migrate the URL filtering vendor to PAN-DB on each firewall HA peer. Complete this task on fw2 (passive or active-secondary peer) before fw1 (active or active-primary peer). Access the firewall web interface, select Device > High Availability > Operational Commands, and Suspend local device. Performing this step on fw1 triggers failover to fw2. Select Device > Licenses. In the License Management section, select Activate feature using authorization code, enter the Authorization Code and click OK. Activating the PAN-DB license automatically deactivates the BrightCloud license. In the PAN-DB URL Filtering section, Download the seed file, select your region, and click OK. Access the Panorama web interface, click Commit, set the Commit Type to Device Group, select the firewall, and click Commit again. Access the firewall web interface, select Device > High Availability > Operational Commands, and Make local device functional. When you perform this step on fw1 with preemption enabled on both firewalls, fw1 automatically reverts to active (or active-primary) status and fw2 reverts to passive (or active-secondary) status.
Revert both firewall HA peers to the original TCP session settings. Run the following command at the CLI of each firewall: > set session tcp-reject-non-syn yes
Migrate Panorama and non-HA Firewalls from BrightCloud to PAN-DB
Perform this procedure to migrate the URL filtering vendor from BrightCloud to PAN-DB on Panorama and firewalls when the firewalls are not deployed in a high availability (HA) configuration. The migration automatically maps BrightCloud URL categories to PAN-DB URL categories.
Migrate Panorama and non-HA Firewalls from BrightCloud to PAN-DB
Determine which firewalls require new PAN-DB URL filtering licenses. Log in to Panorama and select Panorama > Device Deployment > Licenses. Check the URL column to determine which firewalls have PAN-DB licenses and whether the licenses are valid or expired. A firewall can have valid licenses for both BrightCloud and PAN-DB, but only one license can be active. If you’re not sure whether a PAN-DB URL filtering license is active, access the firewall web interface, select Device > Licenses, and verify that the Active field displays Yes in the PAN-DB URL Filtering section. Purchase new licenses for the firewalls that don’t have valid PAN-DB licenses. Palo Alto Networks sends an email containing activation codes for the licenses you purchase. If you can’t find this email, contact Customer Support before proceeding.
Change the URL filtering vendor to PAN-DB on Panorama. Access the Panorama web interface and perform one of the following tasks: Change the URL Filtering Vendor on HA Panorama Change the URL Filtering Vendor on non-HA Panorama
Migrate the URL filtering vendor to PAN-DB on each firewall. Access the firewall web interface and select Device > Licenses. In the License Management section, select Activate feature using authorization code, enter the Authorization Code, and click OK. Activating the PAN-DB license automatically deactivates the BrightCloud license. In the PAN-DB URL Filtering section, Download the seed file, select your region, and click OK. In the Panorama web interface, click Commit, set the Commit Type to Device Group, select the firewall, and click Commit again.

Related Documentation