Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-27-2016 11:57 AM
I've been experimenting with MineMeld and love it - brilliant product 🙂
That said, I'm struggling to get a clear idea what the size limit is of each blocklist.
https://live.paloaltonetworks.com/t5/Learning-Articles/How-are-Dynamic-Block-List-Entries-Counted-on... suggests even a PA200 can handle a list with 50k entries but in the same article it suggests a PA3020 has a limit of just 5k entries.
What is the limit please? For exampel the Alienvault reputation feed is approximately 16k entries.
Thanks 🙂
07-27-2016 12:21 PM
Hi,
Please see below:
For PA-200 depends of PAN-OS
07-27-2016 12:58 PM
Thanks, but that article doesn't make sense unless I'm totally misreading it.
When running PAN-OS 7.0.x on a PA-200, it can have:
OK so a PA200 can have 1 list with 50,000 IP's that's great but:
| Hardware | Maximum Address Entries |
PA-200 PA-500 | 2500 |
PA-3020 | 5000 |
PA-3050 PA-3060 PA-5020 | 10000 |
| PA-5050 | 40000 |
PA-5060 PA-7050 | 80000 |
So a PA3020 can only have 5000 entries whilst that table also states that a PA200 can only have 2500 entries.
Some of the reputation feeds out there can be 20k entries and it's hard to believe that a PA200 could use that but a PA3020 could not.
07-27-2016 02:02 PM - edited 07-27-2016 02:02 PM
I am with you but cannot confirm as do not have any PA-200 on 7.0.X PAN-OS
Below output from our lab firewall:
BAS-LAB-PA-3050> show system state | match cfg.general.max-address
cfg.general.max-address: 10000
cfg.general.max-address-group: 1000
cfg.general.max-address-per-group: 2500
BAS-LAB-PA-3050>
Cheers
07-27-2016 02:02 PM
YOu are confusing what the two graphs are actually saying. A PA firewall regardless of version can have 10 external block lists that compose no more than 50000 IPs in total. The graph at the very bottom states how many anddress groups can be on any one device. The EBL that you configure counts as one of these address groups, regardless of how many entries it actually has.
07-28-2016 09:33 AM - edited 07-28-2016 09:34 AM
@BPry I don't agree.
Both areas use the terminology external lists. Neither say address groups.
I'm not saying your understanding or interpretation is not accurate. I'm just saying that the verbiage is confusing to me as well.
You have a "bolded" heading saying:
Maximum number of External Block Lists and Address Entries Within Each List
Under that you have a chart saying max entries for a 200 is 2,500. And max entries for a 5060 is 80,000.
Below all of that you have a caveat that says *If* running a specific PAN-OS version on a given hardware platform your cap is "X" or "50000 IPs" for an external list.
To me they're saying the same things but using different values. It is confusing to me as well. It's almost as if someone just glommed a bunch of ideas together without a larger thought for how that data would be interpreted
07-28-2016 09:44 AM
Thanks Brandon, tbh it's a dog of a badly worded article but if 50k is the magic number that's all I need to know 🙂
07-28-2016 10:04 AM
I won't deny that the entry is confusing, however
That entry is where they talk about the address object limitations; the example that they gave with the limitation of 5000 entries is from a PA-3020.
I wouldn't say that the document is very well put together, and PA should update it accordingly, however it isn't to the point where you can't decifier what they were trying to relay. I will say that describing how PA does EBL does require a knowledge of the address object limitations on any particular device; as without that knowledge you could imagine that 4700 entries on an EBL would count as 4700 address objects, which would put PA-200s and PA-500s over the maximum amount of address objects they can process.
08-01-2016 03:25 AM
Hi,
In PAN-OS 7.1 this feature was enhanced by adding 2 new types of lists you can add (URL and Domain).
With that release some articles were created that also cover the limits of EDL :
Hope these help.
Kim.
02-14-2017 07:12 AM
Maybe I misunderstand something but we have made up an EDL from vxvault (URL List). We have configured this EDL to be blocked in the URL Profile. This URL Profile is then being used in the FW Security Policy.
But is seems access to the URL's in the list does not get blcoked we can still access them and it does not get blocked by the FW.
For example 182.255.5.201/~bemkmund/two/files/ne.exe
We have double checked above URL and it is in the EDL List.
Any ideas ?
Thanks
Roland
02-14-2017 07:42 AM
URL Filtering is a little complex in the format requirements; I would double check that you actually have things formatted correctly for that site. If you don't mind posting the actual URL listed we can help double check that everything is formatted correctly.
02-14-2017 08:28 AM
You see the URL in my previous post..
06-19-2019 10:04 AM
I am reviving this since i have the problem and seems hard to find the correct answer. But PA support told me to run on my 3020 the following command:
admin@PA3020PRI(active-primary)> request system external-list list-capacities
List Type Currently used in policy Total Capacity
IP 50000 50000
Domain 954 50000
URL 50000 50000
Predefined-IP 613 20000
as you can see there is a limit of 50000 ip whether you have 1 or 10 EDLs created you could have 1 EDL with 10000IPs and another with 40000 and you would hit your limit. seems shortsighted in my opinion since most of us would want to ingest threat intelligence from different providers we might be in business with, ALienVault for example had 80000IPs and i could only ingest 50000.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
