Working with External Block List (EBL) Formats and Limitations
Dynamic Block Lists (Objects > Dynamic Block Lists), introduced in PAN-OS 5.0, enables externally created lists of IP addresses to be imported and used as address objects in security policies. This document describes formatting rules to consider when creating the text file for an IP address list.
Each line of an EBL (External Block List) can be an IP address, IP range, or subnet (IPv6 is supported):
- 192.168.20.10/32 indicates one IP address
- 192.168.20.0/24 indicates the subnet
- 192.168.20.40-192.168.20.50 indicates the IP range
- 2001:db8:123:1::1 indicates on IP address
- 2001:db8:123:1::/64 indicates the subnet
- Each line of an EBL is terminated with the newline character (LF). Windows format (CR-LF) is not supported.
- Blocking URLs or FQDNs dynamically using EBL is not currently supported.
- To view the last octet of the last ip-address in the list on the firewall, there needs to be an "return" after the last ip-address in the text file.
- For a service route configuration, the EBL falls under the 'Palo Alto Updates' selection.
- Display the EBL on the CLI:
> request system external-list show name <object name>
- Request an EBL refresh from the CLI:
> request system external-list refresh name <object name>
- Display the status of an EBL refresh:
> show jobs id <job id>
The following errors (from their respective commands) may be seen on the CLI:
> request system external-list show name <object name>
Server error : external list file not found.
> show jobs id <value> (where <value> is a EBL refresh job) may return the error:
EBL(vsys1/test) Unable to fetch external list. Using old copy for refresh.
The above errors suggest that the issue may be with the web server that hosts the IP address list. However, in many cases, the list was successfully retrieved ("Source URL is accessible" when testing in the GUI), but the Palo Alto Networks device was not able to read it. Verify that the source address is pointing to a .txt file on a HTTP/HTTPS url.
For example: https://www.example.com/blocklist.txt
Please make sure an HTTPS location is on PAN-OS 5.0.10 or higher. If running an earlier version, the Test URL option in the GUI may return an error, although it is working properly.
Note: To see the list on the firewall, the DBL needs to be used in a policy.
The error may also appear if the security rule is not configured with a dynamic block list or if the target vsys is not set in multi-vsys system.
- To apply a dynamic block list to a security rule, see the following example:
The action should be set to 'Block' instead of 'Allow' for the rule with the EBL object as the destination.
- To set the target vsys:
> set system setting target-vsys <vsys1>
If the EBL (unshared EBL) is created on Panorama, then it should be applied to a pre-rule and pushed to the managed device with multiple vsys.
Note 1: The 'Palo Alto Updates' service route will affect the EBLs also.
Note 2: Prior to PAN-OS 6.1, lines with comments will be ommited when applied to the security policy. 6.1 and above will properly apply lines with comments included in them.
10.11.12.13 testingcommentsread here
10.12.12.14 #testingcommentsread here
> show running security-policy
destination [ 220.127.116.11 10.10.10.10 ];
Note: If other errors are displayed when refreshing the EBL, the management server debug can be turned on and ms.log can be followed. If there is an issue with the format of the EBL list, it will be clearly noted in the ms.log. The following shows example ms.log file entries:
Feb 15 12:43:21 EBL entry(0xf30a77f0, 0xe0b6ac60, 0xe210b998 vsys1/test, 1, 0) Refresh job cancelled
Feb 15 12:43:21 EBL entry(0xf30a77f0, 0xe0b6ac60, 0xe210b998 vsys1/test, 1, 0) EBL Refresh job success
Feb 15 12:43:21 EBL ALLOC free timer (0xdbfbecb0, 1356)
Feb 15 12:43:21 EBL entry(0xf30a77f0, 0xe0b6ac60, 0xe210b998 vsys1/test, 1, 0) Releasing ebl
Feb 15 12:43:21 EBL ALLOC free size(0xe0b6ac60 1196)
Maximum number of External Block Lists and Address Entries Within Each List:
- On PAN-OS 7.0.x and below, each Platform can have a maximum of 10 external block lists.
- On PAN-OS 7.1.x and later, each Platform can have a maximum of 30 external block lists.
- Each list can contain the maximum number of addresses supported by your firewall model minus 300.
- Each EBL is counted as one address object and does not contribute towards the platform maximum for max-address, i.e. if the device maximum address is 5000, you can have 10 EBLs of size 4700 each and 4990 other address-objects.
To see what your system has, please enter the following command via the CLI:
On a PA-200 the command and output should lool like this:
> show system state | match cfg.general.max-address
Here is a graph showing the hardware and the maximum address entries:
|Hardware||Maximum Address Entries|
When running PAN-OS 7.0.x and below on a PA-200, it can have:
- A maximum of 10 External Block Lists
- A maximum of 50000 IPs in all external lists combined. (1 list with 50000 IPs or 10 Lists with 5000 IPs both are supported)
If you use more than 10 EBLs in a device you will see the following error during commit:
Exceeding max number of supported external block lists (10)
Note: If you are pushing shared EBL objects from Panorama to a device with multiple Vsys enabled, you may run into an issue where each EBL is counted once per Vsys. For example, if you created 10 Vsys #1 specific EBLs, and then another 10 Vsys #2 specific EBLs, the push to the firewall will fail since it exceeds the 10 External Block List limit of PAN-OS 7.0.x and below. This was an issue that an architectual change has resolved in PAN-OS 7.1.
If the number of entried exceed the total number of capacity, you can see the following error in system logs:
EBL(<ebl-name>) Exceeding max number of ips at line XXXX