EDL Capacity Increases

EDL enhancements in PAN-OS 9.0 include increased EDL capacity limits, list prioritization, and the ability to include subdomains and use exact matches and top-level entries.
An external dynamic list is a text file of IP addresses, domains, or URLs hosted on an external web server. You can configure the firewall to import an external dynamic list and to block or allow traffic based on the entries listed in the file. The following enhancements provide increased EDL capacity limits for select appliances and the flexibility to prioritize the list in order to make sure your most important EDLs are committed before capacity limits are met. Moreover, you can now configure domain EDLs to expand domain names to include subdomains, as well as the ability to use exact matches and top-level domain entries, to help you create more comprehensive domain lists.
Upgrade Information
  • As a best practice, Palo Alto Networks recommends using shared EDLs when multiple virtual systems are used. Using individual EDLs with duplicate entries for each vsys uses more memory, which might over-utilize firewall resources.
  • EDL entry counts on firewalls operating multi-virtual systems take additional factors into account (such as DAGs, number of vsys, rules bases) to generate a more accurate capacity consumption listing. This might result in a discrepancy in capacity usage after upgrading from PAN-OS 8.x releases.
  • Depending on the features enabled on the firewall, memory usage limits might be exceeded before EDL capacity limits are met due to memory allocation changes. As a best practice, Palo Alto Networks recommends reviewing EDL capacities and, when necessary, removing or consolidating EDLs into shared lists to minimize memory usage.
External Dynamic List Enhancement
Description
Increased Domain and URL EDL capacities.
The capacity limits for domain and URL EDLs have been substantially increased across the board for supported platforms. This increases the
total
number of allowable entries for domain and URL lists.
  1. Select
    Objects > External Dynamic Lists
    .
  2. Click
    List Capacities
    to compare how many IP addresses, domains, and URLs are currently used in policy with the total number of entries that the firewall supports for each list type.
    edl-list-capacities.png
    External dynamic list entry calculation improvements in PAN-OS 9.0 generate a more accurate consumption list. These calculations take additional factors into account (such as DAGs, number of vsys, rules bases), however, this might also result in a discrepancy in capacity usage from previous PAN-OS 8.x releases. Palo Alto Networks recommends reviewing EDL capacities and, when necessary, removing or consolidating EDLs into shared lists to minimize memory usage.
Prioritization of EDLs.
The EDLs in the
Objects > External Dynamic Lists
menu are shown top to bottom, in order of evaluation. Use the directional controls at the bottom of the page to change the list order. This allows you to reorder the lists to make sure the most important EDLs are committed before capacity limits are reached.
edl-rearrange.png
You cannot change the EDL order when
Group By Type
has been selected.
Automatically Expand Domains on a Per-List Basis
When enabled, this feature allows you to configure your domain EDLs to automatically include the subdomains of a specified domain. For example, if your domain list includes paloaltonetworks.com, all lower level components of the domain name (e.g., *.paloaltonetworks.com) will also be included as part of the list.
When this setting is enabled, each domain in a given list requires an additional entry, effectively doubling the number of entries that are consumed. You can check your capacity usage by clicking on
List Capacities
.
edl-autonamically-expand-to-include-subdomains.png
Domain List Enhancements
Domain lists now support use of exact matches and top-level domain entries.
This allows you to specify a single specific entry to match against a website, subdomains, and pages. You can also match against entire top-level domains, allowing you to add TLDs associated with malicious content to your EDLs.
  • (^)—Use carets (^) to indicate an exact match of a domain. For example,
    ^paloaltonetworks.com
    matches only to
    paloaltonetworks.com
    . This entry does not match to any other site.
  • (*)—Use (*) in front of a top-level domain to match with all websites associated with the specified TLD. For example,
    *.work
    matches with all websites ending with the TLD of .work.
User Interface Enhancement
The description for the dropdown used to specify the frequency at which the firewall retrieves the EDL on the
Objects > External Dynamic Lists >
external_dynamic_list
page has been changed from
Repeat
to
Check for updates
.
edl-check-for-updates.png

Related Documentation