What is the Fully Qualified Domain Name (FQDN) Object Limit?

What is the Fully Qualified Domain Name (FQDN) Object Limit?

Created On 09/25/18 19:20 PM - Last Modified 09/21/20 21:34 PM


The current maximum limit on FQDN objects is 2000 for the smaller platforms and all VM-series, 2048 for the PA-3200 series, and 6144 for all the large platforms.
The FQDN object IP limit is hardcoded to 10 in Pre 7.0 releases. It is set to 32 in PAN-OS 7.1 and higher releases.

  • PAN-OS Any.
  • Palo Alto Firewalls.
  • FQDN object configuration.


An example of Pre 7.x is shown below.  fqdntest.pantac.lab has 11 ip addresses assigned to the domain name

Screen Shot 2015-01-02 at 12.01.44.png

On the firewall using PAN-OS 7.0 or lower only 10 entries are seen as the maximum limit is reached. This entry limit is 32 in PAN-OS 7.1 and higher.

Screen Shot 2015-01-02 at 12.04.20.png


If one needs more than 32 addresses, A script can be used that creates a Dynamic Block List. This blocklist can be used as an FQDN object.

A possible script on a linux/mac would be: host fqdntest.pantac.lab | grep has | awk '{print $4}' >> fqdn_list.txt

The fqdn_list.txt file will contain all the IP addresses that are associated with fqdntest.pantac.lab:

Screen Shot 2015-01-02 at 15.01.27.png

Make that file available on an HTTP server and configure a Dynamic Block List on the firewall:

Go to GUI: Objects > Dynamic Block Lists:  ( Objects > External Dynamic Lists in PAN-OS 7.1 and higher)

Screen Shot 2015-01-02 at 15.03.19.png


Use that object in Security Policies. To verify what IP addresses are used, use the following command:

> request system external-list show name fqdntest.pantac.lab   (7.0 or below)
> request system external-list show type ip name fqdntest.pantac.lab  (7.1 and higher)



Additional Information
For additional details on the configuration, Refer External Dynamic Lists.

  • Print
  • Copy Link


Choose Language