About address and EBL limitation for maximum

Reply
Highlighted
L4 Transporter

About address and EBL limitation for maximum

Hello.

 

I want to know my question what address and EBL maximum from you.

 

1.

https://live.paloaltonetworks.com/t5/Configuration-Articles/Using-IP-Address-Lists-on-Palo-Alto-Netw...

The above documnet describes " Each imported list can contain up to 5,000 IP addresses (IPv4 and/or IPv6), IP ranges, or subnets." 

How many can FW creat lists? What are Miximum?

 

2. 

I checked the result of the following CLI output,

show system state filter cfg.general.max*

->cfg.general.max-blacklist : 25000

 

Is the above black list about URL Filtering? 

I found a below discussiton

https://live.paloaltonetworks.com/t5/General-Topics/Size-limit-for-URL-block-list/m-p/27631/highligh...

Right?

 

3. 

This question is important.

PA-3020 can have miximum 5000 address.

"cfg.general.max-address: 5000"

I want to know whether this vaule inculde EBL list or exclude it.

And

PA can make security rules without address objects.

When FW can create to write IP on security rules, How many can I make IPs without address object? 

What are maximum? Are this maximum  included "max-address : 5000"?

 

Thanks,

KC Lee


Accepted Solutions
Highlighted
L6 Presenter

Hi there...This is extracted from the 7.0 admin guide.  You can have 10 DBL lists.

DBL.JPG

 

2) Yes, the maximum number of entries (in your case 25,000) is for the entire device, and is shared across the allow list, block list, and custom URL categories.

3) The DBL is separate from the max address.

 

Thanks.

View solution in original post


All Replies
Highlighted
L6 Presenter

Hi there...This is extracted from the 7.0 admin guide.  You can have 10 DBL lists.

DBL.JPG

 

2) Yes, the maximum number of entries (in your case 25,000) is for the entire device, and is shared across the allow list, block list, and custom URL categories.

3) The DBL is separate from the max address.

 

Thanks.

View solution in original post

Highlighted
L4 Transporter

Hi,

 

Thanks for your anwer.

May I ask you question more further?

 

About No.3 question I asked.

I heard from someone what one DBL list place in one of  all address object.

You meaned one DBL list does not equal one address object. Right?

 

And a new question.

Please look at the following document.

https://live.paloaltonetworks.com/t5/Configuration-Articles/Using-IP-Address-Lists-on-Palo-Alto-Netw...

This doc describes " Each imported list can contain up to 5,000 IP addresses (IPv4 and/or IPv6), IP ranges, or subnets."

But It is different between the above sentence and a result I tested.

PA-200 can have 2200 lines of one DBL list [2500(max addresses) - 300(system register IPs)]

PA-3020 can have 4700 lines of one DBL list [5000(max addresses) - 300(system register IPs)]

What is the truth between all platform can have 5,000 or each models can have each other mas address without 300?

 

I hope let me know it.

Thanks.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!