Dynamic Block List - Limit on number of entries?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dynamic Block List - Limit on number of entries?

L4 Transporter

I've been experimenting with MineMeld and love it - brilliant product 🙂

 

That said, I'm struggling to get a clear idea what the size limit is of each blocklist.

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-are-Dynamic-Block-List-Entries-Counted-on... suggests even a PA200 can handle a list with 50k entries but in the same article it suggests a PA3020 has a limit of just 5k entries.

 

What is the limit please?  For exampel the Alienvault reputation feed is approximately 16k entries.

 

Thanks 🙂

13 REPLIES 13

L6 Presenter

Thanks, but that article doesn't make sense unless I'm totally misreading it.

 

When running PAN-OS 7.0.x on a PA-200, it can have:

  • A maximum of 10 External Block Lists
  • A maximum of 50000 IPs in all external lists combined. (1 list with 50000 IPs or 10 Lists with 5000 IPs both are supported)

OK so a PA200 can have 1 list with 50,000 IP's that's great but:

HardwareMaximum Address Entries

PA-200

PA-500

2500

PA-3020

5000

PA-3050

PA-3060

PA-5020

10000
PA-505040000

PA-5060

PA-7050

80000

 

So a PA3020 can only have 5000 entries whilst that table also states that a PA200 can only have 2500 entries.

 

Some of the reputation feeds out there can be 20k entries and it's hard to believe that a PA200 could use that but a PA3020 could not.

I am with you but cannot confirm as do not have any PA-200 on 7.0.X PAN-OS

 

Below output from our lab firewall:

 

BAS-LAB-PA-3050> show system state | match cfg.general.max-address

 

cfg.general.max-address: 10000
cfg.general.max-address-group: 1000
cfg.general.max-address-per-group: 2500
BAS-LAB-PA-3050>

 

 

Cheers 

YOu are confusing what the two graphs are actually saying. A PA firewall regardless of version can have 10 external block lists that compose no more than 50000 IPs in total. The graph at the very bottom states how many anddress groups can be on any one device. The EBL that you configure counts as one of these address groups, regardless of how many entries it actually has. 

@BPry I don't agree.

 

Both areas use the terminology external lists.  Neither say address groups.

 

 

I'm not saying your understanding or interpretation is not accurate.  I'm just saying that the verbiage is confusing to me as well.

 

You have a "bolded" heading saying:

 

Maximum number of External Block Lists and Address Entries Within Each List

 

Under that you have a chart saying max entries for a 200 is 2,500.  And max entries for a 5060 is 80,000.

 

 

 

Below all of that you have a caveat that says *If* running a specific PAN-OS version on a given hardware platform your cap is "X" or "50000 IPs" for an external list.

 

To me they're saying the same things but using different values.  It is confusing to me as well.  It's almost as if someone just glommed a bunch of ideas together without a larger thought for how that data would be interpreted 

Thanks Brandon, tbh it's a dog of a badly worded article but if 50k is the magic number that's all I need to know 🙂

I won't deny that the entry is confusing, however 

  • Each EBL is counted as one address object and does not contribute towards the platform maximum for max-address, i.e. if the device maximum address is 5000, you can have 10 EBLs of size 4700 each and 4990 other address-objects.

 That entry is where they talk about the address object limitations; the example that they gave with the limitation of 5000 entries is from a PA-3020. 

 

I wouldn't say that the document is very well put together, and PA should update it accordingly, however it isn't to the point where you can't decifier what they were trying to relay. I will say that describing how PA does EBL does require a knowledge of the address object limitations on any particular device; as without that knowledge you could imagine that 4700 entries on an EBL would count as 4700 address objects, which would put PA-200s and PA-500s over the maximum amount of address objects they can process. 

Community Team Member

Hi,

 

In PAN-OS 7.1 this feature was enhanced by adding 2 new types of lists you can add (URL and Domain).  

With that release some articles were created that also cover the limits of EDL :

 

https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Videos/PAN-OS-7-1-URL-Filtering-Dynamic-Block-List-E...

https://live.paloaltonetworks.com/t5/PAN-OS-7-1-Articles/PAN-OS-7-1-Custom-DNS-signatures-block-list...

 

Hope these help.

Kim.

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Maybe I misunderstand something but we have made up an EDL from vxvault (URL List). We have configured this EDL to be blocked in the URL Profile. This URL Profile is then being used in the FW Security Policy.

But is seems access to the URL's in the list does not get blcoked we can still access them and it does not get blocked by the FW.

 

For example 182.255.5.201/~bemkmund/two/files/ne.exe

 

We have double checked above URL and it is in the EDL List.

Any ideas ?

 

Thanks

Roland

URL Filtering is a little complex in the format requirements; I would double check that you actually have things formatted correctly for that site. If you don't mind posting the actual URL listed we can help double check that everything is formatted correctly. 

You see the URL in my previous post..

I am reviving this since i have the problem and seems hard to find the correct answer. But PA support told me to run on my 3020 the following command:

admin@PA3020PRI(active-primary)> request system external-list list-capacities

List Type Currently used in policy Total Capacity
IP 50000 50000
Domain 954 50000
URL 50000 50000
Predefined-IP 613 20000

 

as you can see there is a limit of 50000 ip whether you have 1 or 10 EDLs created you could have 1 EDL with 10000IPs and another with 40000 and you would hit your limit. seems shortsighted in my opinion since most of us would want to ingest threat intelligence from different providers we might be in business with, ALienVault for example had 80000IPs and i could only ingest 50000.

  • 15925 Views
  • 13 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!