How to reduce the number of EDL's configured on the firewall

How to reduce the number of EDL's configured on the firewall

15837
Created On 03/22/23 19:45 PM - Last Modified 08/23/23 18:41 PM


Objective


  • Check if the firewall is nearing or has reached its Max Number of Custom Lists for EDL's
  • Reduce the number of EDL's configured on a firewall

Environment


  • NGFW
  • External Dynamic Lists (EDL's)

Procedure


  1. Check the maximum capacity of External Dynamic Lists (EDL's) for the firewall
  1. Using firewall CLI:
admin@PA-VM> show system state filter cfg.general.max-edl-objs
cfg.general.max-edl-objs: 30
  1. Use the Product Comparison Tool to find the Max number of custom lists (see EDL section)
  2. For VM-Series Firewalls, see Maximum Limits Based on Tier and Memory (see EDL section)
  1. Navigate to Objects > External Dynamic Lists > check the number of EDL's configured (excluding Predefined lists)
Firewall Web GUI showing Objects > External Dynamic Lists page items
Note: if your firewall is multi-vsys, you need to add the number of items listed under each vsys to get the total of EDL's configured on the firewall
  1. Delete any unnecessary/unused EDL's from Objects > External Dynamic Lists

Additional Information


For more information on configuring EDL's and what counts towards the maximum, see the below:
PAN-OS® Administrator’s Guide - External Dynamic List
PAN-OS Web Interface Help - Objects > External Dynamic Lists
PAN-OS® Administrator’s Guide - Use an External Dynamic List in Policy
PAN-OS® Administrator’s Guide - Configure the Firewall to Access an External Dynamic List
PAN-OS® Administrator’s Guide - Enforce Policy on an External Dynamic List

Note: List entries only count toward the firewall limits if they belong to an external dynamic list that is referenced in policy. This can be verified under Objects > External Dynamic Lists > click List Capacities ( or using the CLI command: > request system external-list list-capacities )

If you perform a Commit while the number of EDL's configured is exceeding the Max, you may see the below Commit Error: 
Commit Error:
Exceeded maximum number of external dynamic lists.
Current external list count IP:12 Domain:1 URL:3
Candidate external list count IP:19 Domain:1 URL:11
Failed to refresh EDL config
Commit failed

Commit Error showing Maximum number of custom lists configured has been exceeded - commit failed
Additionally, you may find the below error in ms.log:

>less mp-log ms.log
2020-02-20 19:48:29.390 -0800 Error: pan_ebl_cfg_load_new_config(pan_cfg_ebl.c:6332): EDL Exceeded maximum number of external dynamic lists. Current external list count IP:10 Domain:0 URL:0 Candidate external list count IP:31 Domain:0 URL:0


Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sb8FCAQ&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language