topic Re: EDL in vsys environment in General Topics

EDL in vsys environment

nextgenhappines — Wed, 13 Nov 2019 19:09:07 GMT

Hello,

We have a pair of 5250 running PANOS 8.1 with 125 vsys. We want to deploy EDL to block well known attackers. My understand is the EDL has a limit of 150000 entries for IP list.

If I create a shared EDL (type IP list) with 10 entieres and create 2 panorama shared security rules for inbound and outbound for all 125 vsys. Is that count as 1250 entries or 10 entries?

Thanks,

Re: EDL in vsys environment

S.Cantwell — Wed, 13 Nov 2019 19:29:37 GMT

Hello there

I believe your 150,000 limit is total across the appliance itself, regardless of vsys.

so your 10 entries x 125 vsys = 1250 of the total 150,000.

Re: EDL in vsys environment

OtakarKlier — Wed, 13 Nov 2019 23:02:46 GMT

Hello,

Also try to stay away from IP's unless you know they are super bad. This will reduce the number in your EDL hopefully. For inbound traffic, try a whitelist or blacklist to sites you are hosting and do it by country, do you really need some countries connecting in? For outbound traffic utilize the URL filtering as well as the DNS sinkhole feature. PAN also has a new secure DNS feature or you can use other ones to help in filtering out known bad places.

Regards,

Re: EDL in vsys environment

nextgenhappines — Thu, 14 Nov 2019 16:59:57 GMT

I agree with your points. The logic is to use well known blacklisted IPs and create EDL to load to the firewall.

Re: EDL in vsys environment

OtakarKlier — Thu, 14 Nov 2019 17:04:02 GMT

Hello,

I agree with you. Palo Alto has built in ones you can use. Here is also a list of ones I use. However I rarely get hits on these policies.

Source on PAN support:

https://live.paloaltonetworks.com/message/54183#54183

Sans notes on this:

https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall/19365/

Others listed on this site:

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

http://malc0de.com/bl/IP_Blacklist.txt

http://panwdbl.appspot.com/lists/openbl.txt

http://panwdbl.appspot.com/

http://cinsscore.com/list/ci-badguys.txt

Regards,

Re: EDL in vsys environment

nextgenhappines — Sun, 01 Mar 2020 16:53:42 GMT

After months working with TAC, finally got a solid answer,

In my case, we have multiple pair of 5260, each pair is licensed for 125 vsys, and we want to take IP block list feed from Duke University Stingar project and apply it as inbound and outbound drop rule on every vsys.

The 5260 currently support 150000 entries for IP list. It is 150000 total for 125 vsys, that comes out to be 1200 entries per vsys.

If the EDL list is not apply to any security rule, it does not count toward the EDL entries limit.

There is a feature request #13759: “Ability to push a shared EDL object from Panorama to Firewall”. That will change the behavior of the "shared" EDL. If you feel you can benefit from this feature enhancement, please speak with your PAN rep/SE to cast your vote for FR #13759.

Thanks,

Re: EDL in vsys environment

JWinkler — Thu, 29 Apr 2021 17:52:52 GMT

I understand this is an old post, but does anyone have an update on this? We are wanting to leverage some IP block lists but don't want to be limited to a few hundred addresses