This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Confused over EBL size limit
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Confused over EBL size limit
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Confused over EBL size limit
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-17-2016 11:07 AM
We have a 3020 running 7.0.8 and are experimenting with MineMeld.
As soon as we get close to 5k IPs on the combined EBLs we get an error on a EBL refresh that it's been truncated as it's over the limit.
Palo Alto's own KB suggests that on an entry level PA-200 there is a limit of 50k items on all EBLs combined.
Support are telling me that the limit on 3020 is 5k which doesn't seem to make sense as a) why would a 200 support more than a 3020 and b) what's the point of something like minmeld if you can only have 5000 IPs?
Any clarification would be great.
9 REPLIES 9
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-17-2016 11:16 AM - edited 08-17-2016 11:17 AM
For 7.0.x and earlier read this article. Specifically the 3rd entry down.
For 7.1 see this link.
Either way PanOS sets aside 300 entries so the number will always be 300 lower than the maximum. The limit on your 3020 running 7.0.8 will be 4700.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-17-2016 02:32 PM
In addition to Greg answer about enanchements in 7.1, note that:
- you can limit the number of entries of MineMeld output feeds retrieved by PAN-OS using the 'n' URL parameter. Example: https://<minemeld>/feeds/inboundhcfeed?n=1000 will retrieve only the top 1000 entries of the feed
- output feeds by default in MineMeld are sorted by recency. This means that when you retrieve the 1000 topmost entries, the 1000 most recent entries are retrieved
Regards,
luigi
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-29-2016 02:55 AM
Hi,
I have a Pa-500 version 6.1.0
show system state | match cfg.general.max-address
cfg.general.max-address: 0x9c4 --> 2500 IP
cfg.general.max-address-group: 0xfa --> 250
cfg.general.max-address-per-group: 0x1f4 --> 500
peer.cfg.general.max-address: 0x9c4
peer.cfg.general.max-address-group: 0xfa
peer.cfg.general.max-address-per-group: 0x1f4
I am confused with the limits of the lists. I can not predict how big the feed can become. If it's bigger than the limits, does the Palo Alto read the list as much as I can or can not read it?
With these values, how many lists can I have?
How many values can this list have?
In global, how many ip can I have?
Regards
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
11-29-2016 03:49 AM - edited 11-29-2016 03:50 AM
check here:
Your PA-500 with PAN-OS 6.1 can have:
- up to 10 Dynamic Block Lists
- each DBL can contain up to (max-addresses-300) entries = 2200 IPs
Note: this has changed in PAN-OS 7.1, check @Greg_R previous post.
In MineMeld you can use the "n" and "s" feed parameter to slice a feed. Example:
https://<minemeld ip>/feeds/inboundhc => full list of indicators
https://<minemeld ip>/feeds/inboundhc?n=2200 => first 2200 entries in the list
https://<minemeld ip>/feeds/inboundhc?s=2200&n=2200 => entries 2201-4400 in the list
Note: feeds by default are sorted based on the update time, this means that when you retrieve the first N entries these will be the N most recent entries.
Hope it helps,
luigi
Related Content
- File size limit for uploading IOCs manually in Cortex XDR Discussions
- unknown traffic pcaps just stopped happening one day around 2 weeks ago in Next-Generation Firewall Discussions
- Unable to manually upload PAN-OS software into the firewall getting "upload file size exceeds system limit error" in General Topics
- High Utilization of the configuration memory utilization on the dataplane in General Topics
- server not starting after upgrade to 6.2 version in Cortex XSOAR Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks