This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Confused over EBL size limit

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Confused over EBL size limit

networkadmin
L4 Transporter

‎08-17-2016 11:07 AM

We have a 3020 running 7.0.8 and are experimenting with MineMeld.

 

As soon as we get close to 5k IPs on the combined EBLs we get an error on a EBL refresh that it's been truncated as it's over the limit.

 

Palo Alto's own KB suggests that on an entry level PA-200 there is a limit of 50k items on all EBLs combined.

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Working-with-External-Block-List-EBL-Formats-...

 

Support are telling me that the limit on 3020 is 5k which doesn't seem to make sense as a) why would a 200 support more than a 3020 and b) what's the point of something like minmeld if you can only have 5000 IPs?

 

Any clarification would be great.

0 Likes Likes
9 REPLIES 9

Sistemas_SanLucar
L3 Networker
In response to lmori

‎11-29-2016 07:53 AM

 

I continue with the doubt. If the list has 5000 ip. What does Palo Alto do?

Does it only read from the list the ip that it allows?
Does it give error and does not read anything?
 
Thank you
0 Likes Likes

Greg_R
L1 Bithead
In response to Sistemas_SanLucar

‎11-29-2016 07:57 AM

If the list is larger than the firewall can support, it will download its max allowed (starting at the top and working down) and then drop anything longer than it can accomdate. At this point it will also throw a warning that the max limit has been hit. I'm trying to dig up the exact message, but I believe it was posted in the forums before.

Sistemas_SanLucar
L3 Networker
In response to Greg_R

‎11-29-2016 08:14 AM

Thank you.

0 Likes Likes

kevin_thys
L3 Networker
In response to lmori

‎02-08-2017 12:14 PM - edited ‎02-08-2017 12:15 PM

Hi Luigi,

 

I tried splitting the list but still getting error that maximum in the list is exceeded.

 

Config firewall:

xxx-Ransomware-IPv4-01 {
recurring {
hourly {
at 45;
}
}
url https://ip/feeds/xxx-Ransomware-IPv4?n=4600;
type ip;
description "Ransomware Minemeld list Medium confidence level";
}
xxx-Ransomware-IPv4-02 {
recurring {
hourly {
at 46;
}
}
url https://ip/feeds/xxx-Ransomware-IPv4?s=4600&n=4600;
type ip;
}
xxx-Ransomware-IPv4-03 {
recurring {
hourly {
at 47;
}
}
url https://ip/feeds/xxx-Ransomware-IPv4?s=9200&n=4600;
type ip;
}

 

Running lateste Minemeld and PAN-OS 7.0.9.

 

Error received when commit is done:

  • EBL(vsys1/xxx-Ransomware-IPv4-02) Exceeding max number of ips at line 4701

When I check in CLI it is starting at 4600 but not ending untill the end of the list.

I think that the parameter is n=4600 is not working. 

0 Likes Likes

lmori
L7 Applicator
In response to kevin_thys

‎02-08-2017 01:25 PM

Just tested this and works for me. Could you try this and paste the output ?

$ curl -s https://<minemeld>/feeds/inboundFeedMC\?s=4600\&n=4600  | wc
    4600    4600  133432

Thanks !

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks