IP List limitations

ksauer507 — Tue, 17 Dec 2024 15:43:27 GMT

We would like to integrate with AbuseIPDB after seeing numerous global protect VPN logon failures. We've greatly slowed this process down but it was a manual process of pulling reports to a list and we have an EDL download this list on a regularly scheduled basis.

Instead of a manual process, we were going to with Panorama API key and scripting report to AbuseIPDB and also ingest from AbuseIPDB. However, if we even decide to pull in IP blocks with a 95% confidence level, that's 67,307 IP addresses (a constantly moving target). If we move that up to 100% confidence level of malicious IPs, that brings it down to about 62,000 IP addresses.

We have 4th gen firewalls in our Primary data center, the 1420's. We have 460's in or DR datacenter (which was getting attacked just as hard). When we look at capacities, we see in list type IPs there is only a total capacity of 50,000 IP addresses.

With pfSense and OpnSense - FREE (unless you buy their hardware and support them), the limit for IP address lists, also known as aliases, is defined by the "Firewall Maximum Table Entries" setting, which defaults to 400,000 entries; meaning you can store up to 400,000 IP addresses across all your aliases within the firewall tables, and you may need to increase this value if you plan to use large lists of IP addresses in your firewall rules. So with a free solution on a well enough box, you can even set some tunables to go past 400,000.

So is the Palo alto firewalls just cadalac boxes on plastic wheels? Is there any way to overcome this limitation?

Would summarizing IPs count as 1 ip? For example, if entering an IP as a /24, would that count as one entry, or 255 entries (the amount of IP's that CIDR network notation covers?)

Anyone put another appliance in front of Palo Alto, in a highly available way for additional filtering?
This is just an asinine limitation. These firewalls costs in the 6 figures, granted that includes 5 years of support. Why such a puny IP space?

Re: IP List limitations

ozheng — Thu, 02 Jan 2025 08:00:50 GMT

Hello @ksauer507 ,

If you aggregate multiple IPs into a network address, it will be counted as 1.

Regarding the appliance in front of Palo Alto network, it may be an option if the device capacity can take the load.

Regarding the comparison with the other solutions, you should compare apple with apple and not only focus on just the IP number (for instance, does the other solutions inspect for traffic threats?)

Also one simple option: are you expecting the GP users to connect from every country? If no, you can make a security policy to block traffic to another countries.

Olivier

Re: IP List limitations

ksauer507 — Thu, 23 Jan 2025 19:31:49 GMT

Only United States is allowed to connect to GP. Still theres plenty of open VPN servers in the US that attackers use to do credential spraying.

topic Re: IP List limitations in Next-Generation Firewall Discussions

IP List limitations

Re: IP List limitations

Re: IP List limitations