topic Re: EDL Limit in Next-Generation Firewall Discussions

EDL Limit

Mitesh_Nandu — Fri, 30 May 2025 03:03:30 GMT

How we can increase the External Dynamic List (EDL) max IP limit ?

For example: PA 3420 has 50,000 IP limit, how we can increase this limit in EDL ?

Re: EDL Limit

mshekh — Fri, 30 May 2025 04:01:57 GMT

EDL limits are platform based so you can't increase the limit however you can review your eld list and optimise it as per your requirement.

https://www.paloaltonetworks.com/products/product-selection

Re: EDL Limit

reaper — Mon, 02 Jun 2025 14:10:33 GMT

since these linits ar edetermined by the hardware, the only solution is "buy a bigger box' 😉

Re: EDL Limit

Mitesh_Nandu — Fri, 06 Jun 2025 00:41:14 GMT

Thanks @mshekh & @reaper for reply....

Want to understand EDL working.

In our environment we are having 3 custom edl url IP list, in each url IP list having 50000 IP entries. In this scenario what will happens ?

Will PA only read custom list 1 & block all the IPs in that list or PA will read all the custom list & block any 50000 IPs.

Re: EDL Limit

Mitesh_Nandu — Fri, 06 Jun 2025 00:41:40 GMT

Thanks @mshekh & @reaper for reply....

Want to understand EDL working.

In our environment we are having 3 custom edl url IP list, in each url IP list having 50000 IP entries. In this scenario what will happens ?

Will PA only read custom list 1 & block all the IPs in that list or PA will read all the custom list & block any 50000 IPs.

Re: EDL Limit

OtakarKlier — Fri, 06 Jun 2025 18:19:48 GMT

Hello,

That is a lot of entries. What are you attempting to achieve? Use the Regions in the security policies to allow/block certain countries. However playing IP whack a mole is futile.

Regards,

Re: EDL Limit

BPry — Sat, 07 Jun 2025 04:52:11 GMT

@Mitesh_Nandu,

I don't have an answer to your question regarding how PAN-OS handles reaching the object limit for an EDL, but I have to question if a 50,000 object EDL is actually being used efficiently. Do you actually utilize an EDL that needs to be 50,000 objects that couldn't be condensed into ranges to help cut back on the object count (IE: do you aggregate and dedupe them?) Do you just keep every single address you've identified ever in the EDL without aging anything out?

If you detail what these are actually being used for a bit more maybe collectively we would have some ideas to help you live within the limitation, or as @reaper pointed out your business requirements may just simply mandate that the 3420 wasn't a good fit and maybe your EDL usage needed a 5420 where you could have 150,000.

150,000 addresses really is the max regardless of platform as far as I'm aware however and I'm slightly concerned that you may essentially have 150,000 entries based off of your questioning. That is a big reason why I would maybe work on either trimming that down or putting something simple like an IP blocklist on your router(s) upstream from your actual firewall.

Re: EDL Limit

Mitesh_Nandu — Sun, 22 Jun 2025 15:51:12 GMT

@BPry

Thanks for the valuable input.

EDL limit for 3420 has been increased from 50000 to 150000.

When we run the below command in appliance output was showing 150000, Palo Alto document is not updated.

show system state | match max-edl