How to verify if the firewall is nearing or has reached its maximum capacity of URLs or IP Addresses in External Dynamic Lists

How to verify if the firewall is nearing or has reached its maximum capacity of URLs or IP Addresses in External Dynamic Lists

17220
Created On 03/23/23 23:58 PM - Last Modified 01/16/25 23:02 PM


Objective


  • Check if the firewall is nearing or has reached its 'Maximum Number of IPs/URLs per System
  • Reduce the number of URLs and/or IPs within the EDL's configured on a firewall
  • In Cloud NGFW for Azure and Cloud NGFW for AWS, EDL's are referred to as Intelligent Feeds

Environment


  • NGFW
  • External Dynamic Lists (EDL's)
  • Security Policy

Procedure


  1. Check the maximum capacity of Max IPs per System or Max URLs per System for your firewall model
  1. Using firewall CLI:
> show system state filter cfg.general.max-edl-ip
cfg.general.max-edl-ip: 50000
> show system state filter cfg.general.max-edl-url
cfg.general.max-edl-url: 50000
  1. Use the Product Comparison Tool to find the Max IPs per System and Max URLs per System (see EDL section)
  2. For VM-Series Firewalls, see Maximum Limits Based on Tier and Memory (see EDL section)
  3. For Cloud NGFW Firewall for Azure, see Maximum Limit per Cloud NGFW Resource (see 'IP addresses across all feeds')
  4. For Cloud NGFW Firewall for AWS, see Maximum Limit per Cloud NGFW Resource (see 'IP addresses across all feeds')
  1. Verify if the firewall is nearing or has reached its Total Capacity for any values:
    1. Navigate to Objects > External Dynamic Lists > click List Capacities
Screenshot of Objects > External Dynamic Lists > List Capacities button
  1. Using firewall CLI:
> request system external-list list-capacities

List Type               Currently used in policy        Total Capacity
IP                      0                               50000
Domain                  0                               50000
URL                     0                               50000
IMSI/IMEI               0                               2000
Predefined-IP           6631                            50000
Note: List entries count toward the maximum only if the external dynamic list is used in policy. If you exceed the maximum number of entries the model supports, the firewall generates a System Log and skips the entries that exceed the limit. More Info
  1.  Discover which EDL contains a high number of (or any unused/unnecessary) IP or URL entries to View External Dynamic List Entries 
    1. Navigate to Objects > External Dynamic Lists > edit EDL > click List Entries and Exceptions
Screenshot of the Objects > External Dynamic Lists Web UI page where you can view EDL IP or URL List Entries
  1. Go to the EDL Source (not on the firewall), and delete any unnecessary / unused entries on that list

Additional Information


If using the Cloud NGFW for Azure or Cloud NGFW for AWS, go to the Intelligent Feed source and view the contents of the Intelligent Feed there. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sb8eCAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language