EDL Capacity Reached but Lists Show Empty / Default Entry (0.0.0.0/32) – Panorama Multi-VSYS Setup Post:

A.AlHafi — Mon, 27 Apr 2026 06:32:16 GMT

Hi Everyone,

I am currently facing an issue with External Dynamic Lists (EDLs) in a Panorama-managed multi-vsys firewall setup and would appreciate your guidance.

Scenario:

EDLs are configured on Panorama and pushed to a multi-vsys managed firewall.
The EDL source URLs are reachable, and the .txt files contain valid IP entries.
The EDLs are correctly referenced in security policies.

Issue:

When attempting to add a new EDL, it is not being fetched on the firewall.
Upon checking the EDL capacity using:

request system external-list list-capacities

it shows that the IP EDL capacity limit has been reached.

When verifying the individual EDL entries, the lists appear to only contain the default entry:

0.0.0.0/32
This behavior is consistent across multiple EDLs.
Despite this, the firewall still reports that the EDL limit is fully utilized.

What has been verified:

EDL URLs are reachable from the firewall.
EDLs are actively referenced in security policies.

Questions:

Has anyone encountered a situation where EDL capacity is fully consumed, but the lists appear empty or only show 0.0.0.0/32?
What would be the best way to accurately validate actual EDL usage vs reported capacity?

Any insights or recommended troubleshooting steps would be highly appreciated.

Thank you in advance!

Re: EDL Capacity Reached but Lists Show Empty / Default Entry (0.0.0.0/32) – Panorama Multi-VSYS Setup Post:

TomYoung — Mon, 27 Apr 2026 18:26:00 GMT

Hi @A.AlHafi ,

I have run into this issue. What I have found is that there is one or more EDLs that reach the max, e.g. 50K IP entries, and then all the other EDLs are blank. In my case the NGFW seemed to populate the EDLs from top to bottom in the configuration. When you commit, you should see the EDL warning.

In your case, you don't seem to be able to find the EDLs that consume all the entries. Have you checked all vsys? The EDL limit is per system and not per vsys.

The best way to validate EDL usage is with the command you mentioned, "request system external-list list-capacities". The "Currently used in policy" column has proved accurate for me.

Thanks,

Tom

topic EDL Capacity Reached but Lists Show Empty / Default Entry (0.0.0.0/32) – Panorama Multi-VSYS Setup Post: in General Topics

EDL Capacity Reached but Lists Show Empty / Default Entry (0.0.0.0/32) – Panorama Multi-VSYS Setup Post:

Re: EDL Capacity Reached but Lists Show Empty / Default Entry (0.0.0.0/32) – Panorama Multi-VSYS Setup Post: