This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
Accept
Reject

Dynamic Block List - Limit on number of entries?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Dynamic Block List - Limit on number of entries?

networkadmin
L4 Transporter

‎07-27-2016 11:57 AM

I've been experimenting with MineMeld and love it - brilliant product 🙂

 

That said, I'm struggling to get a clear idea what the size limit is of each blocklist.

 

https://live.paloaltonetworks.com/t5/Learning-Articles/How-are-Dynamic-Block-List-Entries-Counted-on... suggests even a PA200 can handle a list with 50k entries but in the same article it suggests a PA3020 has a limit of just 5k entries.

 

What is the limit please?  For exampel the Alienvault reputation feed is approximately 16k entries.

 

Thanks 🙂

0 Likes Likes
13 REPLIES 13

TranceforLife
L6 Presenter

‎07-27-2016 12:21 PM

Hi,

 

Please see below:

 

https://live.paloaltonetworks.com/t5/Learning-Articles/Working-with-External-Block-List-EBL-Formats-...

 

For PA-200 depends of PAN-OS 

0 Likes Likes

networkadmin
L4 Transporter
In response to TranceforLife

‎07-27-2016 12:58 PM

Thanks, but that article doesn't make sense unless I'm totally misreading it.

 

When running PAN-OS 7.0.x on a PA-200, it can have:

  • A maximum of 10 External Block Lists
  • A maximum of 50000 IPs in all external lists combined. (1 list with 50000 IPs or 10 Lists with 5000 IPs both are supported)

OK so a PA200 can have 1 list with 50,000 IP's that's great but:

HardwareMaximum Address Entries

PA-200

PA-500

2500

PA-3020

5000

PA-3050

PA-3060

PA-5020

10000
PA-505040000

PA-5060

PA-7050

80000

 

So a PA3020 can only have 5000 entries whilst that table also states that a PA200 can only have 2500 entries.

 

Some of the reputation feeds out there can be 20k entries and it's hard to believe that a PA200 could use that but a PA3020 could not.

0 Likes Likes

TranceforLife
L6 Presenter
In response to networkadmin

‎07-27-2016 02:02 PM - edited ‎07-27-2016 02:02 PM

I am with you but cannot confirm as do not have any PA-200 on 7.0.X PAN-OS

 

Below output from our lab firewall:

 

BAS-LAB-PA-3050> show system state | match cfg.general.max-address

 

cfg.general.max-address: 10000
cfg.general.max-address-group: 1000
cfg.general.max-address-per-group: 2500
BAS-LAB-PA-3050>

 

 

Cheers 

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to networkadmin

‎07-27-2016 02:02 PM

YOu are confusing what the two graphs are actually saying. A PA firewall regardless of version can have 10 external block lists that compose no more than 50000 IPs in total. The graph at the very bottom states how many anddress groups can be on any one device. The EBL that you configure counts as one of these address groups, regardless of how many entries it actually has. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks