Pa-400 series on pan os 11 & later accept 100K Ip now

[nrgneilo]

Please update or create new URL for 100K ip for Pa-400 series. Pa-400 series on pan os 11& later accept 100K Ip and 1M Url

https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/external-dynamic-list

Thanks.

[romainmarcoux]

Thank you to help me improve the project.

Are you sure that the limit of the total number of IP addresses for entry-level Palo Alto FW has been increased to 100,000? Are you not confusing it with the maximum number of URLs?

On the link you provide, I still read: "IP address—The PA-3200 Series, PA-5200 Series, and the PA-7000 Series firewalls support a maximum of 150,000 total IP addresses; all other models support a maximum of 50,000 total IP addresses. No limits are enforced for the number of IP addresses per list. When the maximum supported IP address limit is reached on the firewall, the firewall generates a syslog message. The IP addresses in predefined IP address lists do not count toward the limit."

[nrgneilo]

Good catch! I'm mistaken. Yeah, restricted to 50K ip. Sorry. i thought the URL section was IP's That's to bad.

[romainmarcoux]

Yes, it's a shame. That's why I'm keeping the full-40k file.
FortiGates have much higher limits.

[nrgneilo]

From my understanding, the FW will only use up to 50k Ip's say in a auto ip block at one time.

"When the maximum supported IP address limit is reached on the firewall, the firewall generates a syslog message. The IP addresses in predefined IP address lists do not count toward the limit."

Sounds like you can still have the entire list? I will confirm with PA.

[romainmarcoux]

I agree that the wording of the sentence is not explicit.
You can test on a PAN-OS FW by adding the full-aa and full-ab segments (131k IP each) and see if it is 50k IP per segment or 50k IP in total that are taken into account.