EDL Capacity Increases
EDL enhancements in PAN-OS 9.0 include increased EDL
capacity limits, list prioritization, and the ability to include
subdomains and use exact matches and top-level entries.
An external dynamic list is a text file of
IP addresses, domains, or URLs hosted on an external web server.
You can configure the firewall to import an external dynamic list
and to block or allow traffic based on the entries listed in the
file. The following enhancements provide increased EDL capacity
limits for select appliances and the flexibility to prioritize the
list in order to make sure your most important EDLs are committed
before capacity limits are met. Moreover, you can now configure
domain EDLs to expand domain names to include subdomains, as well
as the ability to use exact matches and top-level domain entries,
to help you create more comprehensive domain lists.
Upgrade Information
- As a best practice, Palo Alto Networks recommends using shared EDLs when multiple virtual systems are used. Using individual EDLs with duplicate entries for each vsys uses more memory, which might over-utilize firewall resources.
- EDL entry counts on firewalls operating multi-virtual systems take additional factors into account (such as DAGs, number of vsys, rules bases) to generate a more accurate capacity consumption listing. This might result in a discrepancy in capacity usage after upgrading from PAN-OS 8.x releases.
- Depending on the features enabled on the firewall, memory usage limits might be exceeded before EDL capacity limits are met due to memory allocation changes. As a best practice, Palo Alto Networks recommends reviewing EDL capacities and, when necessary, removing or consolidating EDLs into shared lists to minimize memory usage.
External Dynamic List Enhancement | Description |
|---|---|
Increased Domain and URL EDL capacities. | The capacity limits for domain and URL EDLs have
been substantially increased across the board for supported platforms.
This increases the total number of allowable entries for domain
and URL lists.
|
Prioritization of EDLs. | The EDLs in the Objects > External Dynamic
Lists menu are shown top to bottom, in order of evaluation.
Use the directional controls at the bottom of the page to change
the list order. This allows you to reorder the lists to make sure the
most important EDLs are committed before capacity limits are reached. You
cannot change the EDL order when Group By Type has been
selected. |
Automatically Expand Domains on a Per-List
Basis | When enabled, this feature allows you to configure
your domain EDLs to automatically include the subdomains of a specified
domain. For example, if your domain list includes paloaltonetworks.com,
all lower level components of the domain name (e.g., *.paloaltonetworks.com)
will also be included as part of the list. When this
setting is enabled, each domain in a given list requires an additional
entry, effectively doubling the number of entries that are consumed.
You can check your capacity usage by clicking on List
Capacities . |
Domain List Enhancements | Domain lists now support use of
exact matches and top-level domain entries. This allows you to
specify a single specific entry to match against a website, subdomains,
and pages. You can also match against entire top-level domains, allowing
you to add TLDs associated with malicious content to your EDLs.
|
User Interface Enhancement | The description for the dropdown used to specify
the frequency at which the firewall retrieves the EDL on the Objects
> External Dynamic Lists > page
has been changed from external_dynamic_list Repeat to Check
for updates . |
