By ThreatListPro Security Team · Published February 27, 2026 · Last verified: February 28, 2026
If you manage a next-generation firewall, you have almost certainly encountered the term External Dynamic List—often abbreviated as EDL. It is one of the most powerful yet underutilized features available on modern firewalls, and understanding how it works can save your security team dozens of hours per month in manual threat response.
This guide explains what an EDL is, how different firewall vendors implement the concept, and how a service like ThreatListPro turns an EDL into an automated shield against VPN brute force attacks.
Defining the External Dynamic List
An External Dynamic List is a plain-text file hosted on a web server that contains a list of IP addresses, domain names, or URLs. Your firewall downloads this list on a recurring schedule—anywhere from every five minutes to once a day—and automatically creates security policy rules that block (or allow) traffic matching the entries on the list.
The key word is dynamic. Unlike a static address group that an administrator must update manually, an EDL updates itself. When the list changes on the remote server, your firewall picks up those changes on the next refresh cycle without any human intervention.
Palo Alto Networks popularized the term “External Dynamic List” in PAN-OS, but every major firewall vendor offers an equivalent feature under a different name:
| Vendor | Feature Name | Configuration Path |
|---|---|---|
| Palo Alto Networks | External Dynamic List (EDL) | Objects → External Dynamic Lists |
| Fortinet FortiGate | External Block List / Threat Feed | Security Fabric → External Connectors |
| Cisco ASA / FTD | Security Intelligence Feed | Objects → Security Intelligence |
| Check Point | External IoC Feed | Threat Prevention → Custom Intelligence |
| Sophos XG | IP Threat Feed | System Services → Dynamic Threat Feeds |
| pfSense / OPNsense | URL Alias (IP List) | Firewall → Aliases → URL Table |
Regardless of the vendor, the underlying concept is the same: the firewall reaches out to a URL, downloads a list of indicators, and enforces policy based on that list.
How an EDL Works Step by Step
Understanding the lifecycle of an EDL helps you configure it correctly and troubleshoot issues when they arise. Here is what happens from end to end:
- List creation: A threat intelligence provider (or your own team) compiles a list of malicious IP addresses. The list is saved as a plain-text file with one entry per line and hosted on a web server accessible to your firewall.
- Firewall configuration: An administrator creates an EDL object on the firewall, providing the URL of the hosted list and setting a refresh interval (e.g., every hour or once per day).
- Initial download: The firewall fetches the list immediately upon commit. It parses each line and loads the entries into memory as an address object.
- Policy binding: The administrator references the EDL object in a security policy rule—typically a deny rule placed early in the rulebase. Any traffic whose source IP matches an entry in the EDL is blocked before it reaches your VPN portal, web application, or other protected resource.
- Scheduled refresh: On every refresh cycle, the firewall re-downloads the list. New IPs are added; IPs that were removed from the list are unblocked. No commit or manual action is required.
- Logging: Every blocked connection generates a traffic log entry tagged with the EDL name, giving your SOC clear attribution for why a session was denied.
EDL Format Requirements
EDL formatting is deceptively simple, but small mistakes cause big headaches. The list must meet these requirements to be parsed correctly by most firewalls:
- Served over HTTPS (recommended) or HTTP
- Content-Type: text/plain response header
- One entry per line: an IPv4 address (e.g.,
198.51.100.23), an IPv4 CIDR range (e.g.,203.0.113.0/24), or an IPv6 address - No trailing whitespace, no blank lines between entries (some firewalls tolerate these, but it is safest to avoid them)
- Lines beginning with
#are treated as comments on Palo Alto; other vendors may not support comments - File size should stay under a few megabytes to avoid timeout during download
Why EDLs Are Critical for VPN Security
VPN portals such as Palo Alto GlobalProtect, Fortinet SSL-VPN, and Cisco AnyConnect are among the most attacked surfaces on the internet. Brute force bots hammer these portals around the clock, attempting credential stuffing and password spraying attacks that lock out legitimate users and generate thousands of log entries per day.
An EDL gives you a way to block these attackers at the firewall level—before the traffic ever reaches the VPN portal. The attacker’s TCP connection is refused instantly, meaning your authentication server never sees the attempt, your users never get locked out, and your helpdesk never gets the call.
ThreatListPro as a Ready-Made EDL Source
Building and maintaining your own threat intelligence list is a full-time job. You need honeypots to attract attackers, infrastructure to analyze logs, a scoring algorithm to separate noise from genuine threats, and a pipeline to publish the list in the right format on a reliable server.
ThreatListPro handles all of this for you. When you subscribe, you receive a private HTTPS URL that serves a curated blocklist of IP addresses currently engaged in VPN brute force attacks. The list is formatted as a standard EDL—one IP per line, plain text, served with the correct headers—so it works out of the box with Palo Alto, Fortinet, Cisco, Check Point, Sophos, pfSense, and any other firewall that supports external IP lists.
Common EDL Pitfalls and How to Avoid Them
- Firewall cannot reach the URL: Ensure the management interface (or data plane, depending on configuration) has outbound HTTPS access to the EDL host. Check DNS resolution and proxy settings.
- SSL certificate errors: If the EDL is served over HTTPS, the firewall must trust the certificate chain. Use a certificate from a well-known CA.
- Exceeding entry limits: Palo Alto models have per-EDL limits ranging from 50,000 to 150,000 entries. If your list exceeds the limit, entries are silently dropped from the bottom. ThreatListPro keeps its list under 2,000 entries specifically to avoid this problem.
- Stale data: If the EDL server goes down, the firewall continues using the last successfully downloaded list. Monitor your EDL refresh status to ensure updates are happening on schedule.
Frequently Asked Questions
What format does an EDL need to be in?
An EDL must be a plain-text file served over HTTP or HTTPS, with one IP address or CIDR range per line. No headers, no trailing whitespace, and the server must return a Content-Type: text/plain header. Palo Alto Networks firewalls accept IPv4 addresses, IPv4 CIDR ranges, and IPv6 addresses. ThreatListPro serves its blocklist in this exact format, so it works out of the box with every major firewall.
How often should an External Dynamic List refresh?
Most firewalls support refresh intervals from every 5 minutes up to once per day. For VPN brute force protection, a daily or weekly refresh is typically sufficient because attacker infrastructure rotates relatively slowly. ThreatListPro updates its blocklist weekly. If your environment is under active attack, setting your firewall to poll hourly ensures you pick up updates as quickly as possible.
What is the maximum number of IPs an EDL can contain?
The limit depends on your firewall model and license. Palo Alto firewalls support between 50,000 and 150,000 entries per EDL depending on the hardware platform. Fortinet FortiGate supports up to 131,072 entries. ThreatListPro deliberately keeps its curated blocklist under 2,000 entries so it works on every firewall model—even entry-level devices—without hitting capacity limits.
Can I use an EDL with firewalls other than Palo Alto?
Yes. While Palo Alto Networks popularized the term EDL, every major firewall vendor supports the same concept under a different name. Fortinet calls it an External Block List or Threat Feed, Cisco uses Security Intelligence Feed, Check Point calls it External IoC Feed, and Sophos uses IP Threat Feed. ThreatListPro works with all of these platforms.
How long does it take to set up an EDL on a firewall?
Setting up an EDL typically takes under 5 minutes. You create an EDL object on your firewall, paste the URL of the hosted list, set a refresh interval, reference the EDL in a deny rule, and commit. With a service like ThreatListPro that provides a ready-made URL in the correct format, there is no scripting or formatting work required.