Palo Alto Networks Knowledgebase: Working with External Block List (EBL) Formats and Limitations

Working with External Block List (EBL) Formats and Limitations

31504
Created On 08/05/19 19:57 PM - Last Updated 08/05/19 20:11 PM
Resolution

 

Overview

Dynamic Block Lists (Objects > Dynamic Block Lists), introduced in PAN-OS 5.0, enables externally created lists of IP addresses to be imported and used as address objects in security policies. This document describes formatting rules to consider when creating the text file for an IP address list.

 

Details

Each line of an EBL (External Block List) can be an IP address, IP range, or subnet (IPv6 is supported):

  • 192.168.20.10/32 indicates one IP address
  • 192.168.20.0/24 indicates the subnet
  • 192.168.20.40-192.168.20.50 indicates the IP range
  • 2001:db8:123:1::1 indicates on IP address
  • 2001:db8:123:1::/64 indicates the subnet

Notes:

  • Each line of an EBL is terminated with the newline character (LF). Windows format (CR-LF) is not supported.
  • Blocking URLs or FQDNs dynamically using EBL is not currently supported.
  • To view the last octet of the last ip-address in the list on the firewall, there needs to be an "return" after the last ip-address in the text file.
  • For a service route configuration, the EBL falls under the 'Palo Alto Updates' selection.

 

Helpful Commands:

  • Display the EBL on the CLI:

    > request system external-list show name <object name>

 

  • Request an EBL refresh from the CLI:

    > request system external-list refresh name <object name>

 

  • Display the status of an EBL refresh:

    > show jobs id <job id>

 

Additional information:

The following errors (from their respective commands) may be seen on the CLI:

> request system external-list show name <object name>
Server error : external list file not found.

 

or

> show jobs id <value>  (where <value> is a EBL refresh job) may return the error:
Warnings:
EBL(vsys1/test) Unable to fetch external list. Using old copy for refresh.

 

The above errors suggest that the issue may be with the web server that hosts the IP address list. However, in many cases, the list was successfully retrieved ("Source URL is accessible" when testing in the GUI), but the Palo Alto Networks device was not able to read it. Verify that the source address is pointing to a .txt file on a HTTP/HTTPS url.

For example: https://www.example.com/blocklist.txt

 

Please make sure an HTTPS location is on PAN-OS 5.0.10 or higher. If running an earlier version, the Test URL option in the GUI may return an error, although it is working properly.

Note: To see the list on the firewall, the DBL needs to be used in a policy.

 

The error may also appear if the security rule is not configured with a dynamic block list or if the target vsys is not set in multi-vsys system.

  • To apply a dynamic block list to a security rule, see the following example:
    eblcorrect.jpg
    The action should be set to 'Block' instead of 'Allow' for the rule with the EBL object as the destination.

  • To set the target vsys:

    > set system setting target-vsys <vsys1>

 

If the EBL (unshared EBL) is created on Panorama, then it should be applied to a pre-rule and pushed to the managed device with multiple vsys.

 

Note 1: The 'Palo Alto Updates' service route will affect the EBLs also.

 

Note 2: Prior to PAN-OS 6.1, lines with comments will be ommited when applied to the security policy. 6.1 and above will properly apply lines with comments included in them.

 

Example:

#test dbl

1.2.3.4

10.10.10.10

10.11.12.13 testingcommentsread here

10.12.12.14 #testingcommentsread here

 

> show running security-policy
TestDBL {
from trust-L3;
source any;
source-region none;
to untrust-L3;
destination [ 1.2.3.4 10.10.10.10 ];
destination-region none;
user any;
category any;
application/service any/any/any/any;
action allow;
terminal yes;
}

 

Note: If other errors are displayed when refreshing the EBL, the management server debug can be turned on and ms.log can be followed. If there is an issue with the format of the EBL list, it will be clearly noted in the ms.log. The following shows example ms.log file entries:

 

Feb 15 12:43:21 EBL entry(0xf30a77f0, 0xe0b6ac60, 0xe210b998 vsys1/test, 1, 0) Refresh job cancelled
Feb 15 12:43:21 EBL entry(0xf30a77f0, 0xe0b6ac60, 0xe210b998 vsys1/test, 1, 0) EBL Refresh job success
Feb 15 12:43:21 EBL ALLOC free timer (0xdbfbecb0, 1356)
Feb 15 12:43:21 EBL entry(0xf30a77f0, 0xe0b6ac60, 0xe210b998 vsys1/test, 1, 0) Releasing ebl
Feb 15 12:43:21 EBL ALLOC free size(0xe0b6ac60 1196)

 

Maximum number of External Block Lists and Address Entries Within Each List:

 

  • On PAN-OS 7.0.x and below, each Platform can have a maximum of 10 external block lists.
  • On PAN-OS 7.1.x and later, each Platform can have a maximum of 30 external block lists.
  • Each list can contain the maximum number of addresses supported by your firewall model minus 300.
  • Each EBL is counted as one address object and does not contribute towards the platform maximum for max-address, i.e. if the device maximum address is 5000, you can have 10 EBLs of size 4700 each and 4990 other address-objects.

 

To see what your system has, please enter the following command via the CLI:

 

On a PA-200 the command and output should lool like this: 

> show system state | match cfg.general.max-address


cfg.general.max-address: 2500

 

Here is a graph showing the hardware and the maximum address entries:

HardwareMaximum Address Entries

PA-200

PA-220

PA-500

PA-820

2500

PA-850

3500

PA-3020

5000

PA-3050

PA-3060

PA-5020

10000

PA-5050

PA-5220

40000

PA-5060

PA-5250

PA-5260

PA-7050

80000

 

 

When running PAN-OS 7.0.x and below on a PA-200, it can have:

  • A maximum of 10 External Block Lists
  • A maximum of 50000 IPs in all external lists combined. (1 list with 50000 IPs or 10 Lists with 5000 IPs both are supported)

If you use more than 10 EBLs in a device you will see the following error during commit:

      Exceeding max number of supported external block lists (10)

 

Note: If you are pushing shared EBL objects from Panorama to a device with multiple Vsys enabled, you may run into an issue where each EBL is counted once per Vsys. For example, if you created 10 Vsys #1 specific EBLs, and then another 10 Vsys #2 specific EBLs, the push to the firewall will fail since it exceeds the 10 External Block List limit of PAN-OS 7.0.x and below. This was an issue that an architectual change has resolved in PAN-OS 7.1.

 

If the number of entried exceed the total number of capacity, you can see the following error in system logs:

      EBL(<ebl-name>) Exceeding max number of ips at line XXXX

 

 

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVYCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language