Skip to main content

EDL Deployment lifecycle

An EDL Deployment is the unit of delivery in Blocklist Automation. Each deployment produces one URL your firewall fetches and applies. Manage them at platform.ellio.tech/dashboard/edl-deployments.

This page is the reference for the entire lifecycle - creation, update, deletion, and the meaning of every field. For a guided walkthrough, see Creating your first blocklist.

Create - three-step wizard

The creation flow at /dashboard/edl-deployments/create has three steps:

Step 1 - Configuration

Basic Information

FieldRequiredWhat it does
Deployment NameYesUsed everywhere the deployment is referenced. Make it descriptive (e.g. prod-ingress-blocklist).
DescriptionNoFree-text. Helpful for teammates who didn't create the deployment.

Deployment Configuration

  • Firewall Format - pick a card from 10 supported formats: Checkpoint, Cisco, F5, Fortinet, ntop, OPNsense, Palo Alto, pfSense, Sophos, Universal. Each card shows IPv4/IPv6/CIDR support, an example payload, an Official Documentation link, and (where available) an ELLIO Integration Tutorial link. See the firewall format guide for picking guidance.
  • Update Frequency - how often the EDL content is regenerated. Options: 5 Minutes, 15 Minutes, 30 Minutes, 60 Minutes, 6 Hours, 12 Hours, 24 Hours. Higher frequencies require a corresponding plan tier.
  • Activate on creation - toggle (default on). When on, the EDL begins generating immediately. When off, the deployment is created in a paused state and you must activate it later.

Metadata

These fields exist for organisation; they don't change how the EDL is generated or fetched.

  • Purpose - Blocklist / Allowlist / Other. Helps you find lists later.
  • Traffic Direction - Ingress / Egress / Both. Same idea - purely organisational.

Step 2 - Sources

A four-column hierarchical picker. The top-level columns map to the four source types:

  • Common Business Services - drill into Cloud Providers, CDNs, ISPs, Security Services, SaaS, Web Crawlers & Bots; then pick specific providers (AWS, Azure, Cloudflare, Microsoft 365, Bing, etc.).
  • ELLIO Threat Lists - pick ELLIO Lists (MAX, RDP, 250K, 100K) and/or RECON Lists (Censys, Shodan, Shadowserver, BinaryEdge, BufferOver, Cortex Xpanse, Driftnet, InfraWatch, Internet Census, InternetTL, LeakIX, NetScout, Nokia Deepfield, Rapid7, Stretchoid).
  • My IP Rulesets - pick from rulesets you created in My IP Rulesets.
  • My External IP Lists - pick from sources you configured in My External IP Lists.

For every source you can:

  • Include (+) - add the source's IPs to the EDL. The button turns green when active.
  • Exclude (-) - guarantee the source's IPs never appear in the EDL, even if another included source contains them. Red when active.

The Current Selection strip at the top of the panel summarises what you've picked across the four source types.

You must pick at least one source to advance. Most production deployments combine an ELLIO Threat List (broad coverage), one or more RECON lists (scanner exclusions or inclusions), one or two Common Business Services exclusions (so trusted CDN traffic stays reachable), and a personal allowlist (to whitelist your own EASM probes).

For the rules that govern how includes and excludes interact, read Include / exclude logic.

Step 3 - Review

Read-only summary of every choice. Confirm and create.

After creation, the platform returns to the EDL Deployments list with your new deployment surfaced at the top.

Manage existing deployments

The deployment list at /dashboard/edl-deployments supports:

  • Search by name, description, firewall format, or ID.
  • Filter by purpose (All / Blocklist / Allowlist / Other) and by status (All / Active / Inactive).
  • Sort by creation date.

Click any deployment card to open its detail page, where you can:

  • View the Current EDL URL and copy it into your firewall configuration.
  • Inspect the source selection.
  • Force a regeneration ("Update now").
  • Toggle the deployment active or inactive.
  • Edit the basic info or source selection.
  • Delete the deployment.

How the firewall consumes the URL

The URL is stable for the lifetime of the deployment. Plug it into your firewall's external dynamic list configuration:

  • Palo Alto Networks: Objects → External Dynamic Lists → IP List → URL.
  • Fortinet FortiGate: Security Fabric → External Connectors → Threat Feeds → IP Address.
  • Check Point: Custom Intelligence Feeds.
  • Cisco Secure Firewall: Security Intelligence → IP Addresses.
  • F5 BIG-IP: IP Address Intelligence custom category.
  • pfSense / OPNsense: pfBlockerNG / Aliases - Type URL.
  • ntopng: IP blacklist URL.
  • Sophos: Active Threat Response IP list.
  • Universal: any system that accepts a plain text list.

The firewall fetches on its own schedule (usually independent from the ELLIO update frequency). Plan for the longer of the two cadences when reasoning about propagation time.

Deleting a deployment

Deletion is immediate and irreversible from the platform. The URL stops serving content as soon as the deployment is removed; firewalls that fetch after that point will receive an empty response or HTTP 404 depending on firewall format. Remove or replace the URL on every firewall that uses it before deleting the deployment.

See also

Last updated on