I've been experimenting with MineMeld and love it - brilliant product 🙂
That said, I'm struggling to get a clear idea what the size limit is of each blocklist.
https://live.paloaltonetworks.com/t5/Learning-Articles/How-are-Dynamic-Block-List-Entries-Counted-on... suggests even a PA200 can handle a list with 50k entries but in the same article it suggests a PA3020 has a limit of just 5k entries.
What is the limit please? For exampel the Alienvault reputation feed is approximately 16k entries.
Thanks, but that article doesn't make sense unless I'm totally misreading it.
When running PAN-OS 7.0.x on a PA-200, it can have:
OK so a PA200 can have 1 list with 50,000 IP's that's great but:
|Hardware||Maximum Address Entries|
So a PA3020 can only have 5000 entries whilst that table also states that a PA200 can only have 2500 entries.
Some of the reputation feeds out there can be 20k entries and it's hard to believe that a PA200 could use that but a PA3020 could not.
I am with you but cannot confirm as do not have any PA-200 on 7.0.X PAN-OS
Below output from our lab firewall:
BAS-LAB-PA-3050> show system state | match cfg.general.max-address
YOu are confusing what the two graphs are actually saying. A PA firewall regardless of version can have 10 external block lists that compose no more than 50000 IPs in total. The graph at the very bottom states how many anddress groups can be on any one device. The EBL that you configure counts as one of these address groups, regardless of how many entries it actually has.
@BPry I don't agree.
Both areas use the terminology external lists. Neither say address groups.
I'm not saying your understanding or interpretation is not accurate. I'm just saying that the verbiage is confusing to me as well.
You have a "bolded" heading saying:
Maximum number of External Block Lists and Address Entries Within Each List
Under that you have a chart saying max entries for a 200 is 2,500. And max entries for a 5060 is 80,000.
Below all of that you have a caveat that says *If* running a specific PAN-OS version on a given hardware platform your cap is "X" or "50000 IPs" for an external list.
To me they're saying the same things but using different values. It is confusing to me as well. It's almost as if someone just glommed a bunch of ideas together without a larger thought for how that data would be interpreted
I won't deny that the entry is confusing, however
That entry is where they talk about the address object limitations; the example that they gave with the limitation of 5000 entries is from a PA-3020.
I wouldn't say that the document is very well put together, and PA should update it accordingly, however it isn't to the point where you can't decifier what they were trying to relay. I will say that describing how PA does EBL does require a knowledge of the address object limitations on any particular device; as without that knowledge you could imagine that 4700 entries on an EBL would count as 4700 address objects, which would put PA-200s and PA-500s over the maximum amount of address objects they can process.
In PAN-OS 7.1 this feature was enhanced by adding 2 new types of lists you can add (URL and Domain).
With that release some articles were created that also cover the limits of EDL :
Hope these help.
Maybe I misunderstand something but we have made up an EDL from vxvault (URL List). We have configured this EDL to be blocked in the URL Profile. This URL Profile is then being used in the FW Security Policy.
But is seems access to the URL's in the list does not get blcoked we can still access them and it does not get blocked by the FW.
For example 188.8.131.52/~bemkmund/two/files/ne.exe
We have double checked above URL and it is in the EDL List.
Any ideas ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!