05-21-2026 01:22 AM
Hello,
We are reviewing an EDL-based IOC blocking architecture using Palo Alto Networks firewalls with Panorama and Cortex XDR.
Currently, IOC blocking is managed mainly with address objects/groups, but we are considering migrating to EDL-only management for operational simplicity and external emergency response through Cortex XDR.
I would appreciate any field experience or best practices regarding large-scale EDL operations.
Questions:
Has anyone operated EDLs at large scale (100K~150K entries)?
Any noticeable impact on performance, memory, CPU, policy lookup, or refresh processing?
If a refresh starts before the previous parsing job finishes, how is this internally handled?
(queueing, overlap prevention, atomic replacement, etc.)
If an EDL object is created in Panorama Shared context, do EDL content updates require Panorama push/commit to firewalls, or are updates automatically reflected after refresh?
Thank you.
05-21-2026 06:44 AM
What firewall model are you running?
Different models can support different amount of IPs from EDLs.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
