08-17-2016 11:07 AM
We have a 3020 running 7.0.8 and are experimenting with MineMeld.
As soon as we get close to 5k IPs on the combined EBLs we get an error on a EBL refresh that it's been truncated as it's over the limit.
Palo Alto's own KB suggests that on an entry level PA-200 there is a limit of 50k items on all EBLs combined.
Support are telling me that the limit on 3020 is 5k which doesn't seem to make sense as a) why would a 200 support more than a 3020 and b) what's the point of something like minmeld if you can only have 5000 IPs?
Any clarification would be great.
08-17-2016 11:16 AM - edited 08-17-2016 11:17 AM
For 7.0.x and earlier read this article. Specifically the 3rd entry down.
For 7.1 see this link.
Either way PanOS sets aside 300 entries so the number will always be 300 lower than the maximum. The limit on your 3020 running 7.0.8 will be 4700.
08-17-2016 02:32 PM
In addition to Greg answer about enanchements in 7.1, note that:
- you can limit the number of entries of MineMeld output feeds retrieved by PAN-OS using the 'n' URL parameter. Example: https://<minemeld>/feeds/inboundhcfeed?n=1000 will retrieve only the top 1000 entries of the feed
- output feeds by default in MineMeld are sorted by recency. This means that when you retrieve the 1000 topmost entries, the 1000 most recent entries are retrieved
Regards,
luigi
11-29-2016 02:55 AM
Hi,
I have a Pa-500 version 6.1.0
show system state | match cfg.general.max-address
cfg.general.max-address: 0x9c4 --> 2500 IP
cfg.general.max-address-group: 0xfa --> 250
cfg.general.max-address-per-group: 0x1f4 --> 500
peer.cfg.general.max-address: 0x9c4
peer.cfg.general.max-address-group: 0xfa
peer.cfg.general.max-address-per-group: 0x1f4
I am confused with the limits of the lists. I can not predict how big the feed can become. If it's bigger than the limits, does the Palo Alto read the list as much as I can or can not read it?
With these values, how many lists can I have?
How many values can this list have?
In global, how many ip can I have?
Regards
11-29-2016 03:49 AM - edited 11-29-2016 03:50 AM
check here:
Your PA-500 with PAN-OS 6.1 can have:
- up to 10 Dynamic Block Lists
- each DBL can contain up to (max-addresses-300) entries = 2200 IPs
Note: this has changed in PAN-OS 7.1, check @Greg_R previous post.
In MineMeld you can use the "n" and "s" feed parameter to slice a feed. Example:
https://<minemeld ip>/feeds/inboundhc => full list of indicators
https://<minemeld ip>/feeds/inboundhc?n=2200 => first 2200 entries in the list
https://<minemeld ip>/feeds/inboundhc?s=2200&n=2200 => entries 2201-4400 in the list
Note: feeds by default are sorted based on the update time, this means that when you retrieve the first N entries these will be the N most recent entries.
Hope it helps,
luigi
11-29-2016 07:53 AM
11-29-2016 07:57 AM
If the list is larger than the firewall can support, it will download its max allowed (starting at the top and working down) and then drop anything longer than it can accomdate. At this point it will also throw a warning that the max limit has been hit. I'm trying to dig up the exact message, but I believe it was posted in the forums before.
02-08-2017 12:14 PM - edited 02-08-2017 12:15 PM
Hi Luigi,
I tried splitting the list but still getting error that maximum in the list is exceeded.
Config firewall:
xxx-Ransomware-IPv4-01 {
recurring {
hourly {
at 45;
}
}
url https://ip/feeds/xxx-Ransomware-IPv4?n=4600;
type ip;
description "Ransomware Minemeld list Medium confidence level";
}
xxx-Ransomware-IPv4-02 {
recurring {
hourly {
at 46;
}
}
url https://ip/feeds/xxx-Ransomware-IPv4?s=4600&n=4600;
type ip;
}
xxx-Ransomware-IPv4-03 {
recurring {
hourly {
at 47;
}
}
url https://ip/feeds/xxx-Ransomware-IPv4?s=9200&n=4600;
type ip;
}
Running lateste Minemeld and PAN-OS 7.0.9.
Error received when commit is done:
When I check in CLI it is starting at 4600 but not ending untill the end of the list.
I think that the parameter is n=4600 is not working.
02-08-2017 01:25 PM
Just tested this and works for me. Could you try this and paste the output ?
$ curl -s https://<minemeld>/feeds/inboundFeedMC\?s=4600\&n=4600 | wc
4600 4600 133432
Thanks !
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
