Skip to content

New: Microsoft Sentinel TAXII integration is in technical preview.Read the integration guide

Firewall format guide

ELLIO renders every EDL in the format your firewall expects. Pick the one that matches your device on the Configuration step of the deployment wizard.

Format CIDR IPv4 IPv6 Best for
Palo Alto Yes Yes Yes PAN-OS NGFW. Recommended default for any Palo Alto deployment.
Fortinet Yes Yes Yes FortiGate. Lists larger than 130k entries are auto-chunked.
Checkpoint Yes Yes Yes Check Point NGFW Custom Intelligence Feeds.
Cisco Yes Yes Yes Cisco Secure Firewall (FTD / Firepower) Security Intelligence. Includes an MD5 file for smart fetching.
F5 Yes Yes Yes F5 BIG-IP IP Address Intelligence - supports a custom category.
pfSense Yes Yes Yes pfBlockerNG IP feed.
OPNsense Yes Yes No OPNsense alias URL table. IPv4 only.
Sophos No Yes No Sophos. CIDRs are expanded into individual addresses up to /16.
ntop No Yes No ntopng IP blacklist. CIDRs expanded up to /16.
Universal Yes Yes Yes Any system that accepts a plain text list. Fall-back.

Industry-standard EDL format. One IP or CIDR per line, IPv4 + IPv6 + CIDR.

203.0.113.42
198.51.100.0/24
2001:db8::1

Use the format card’s “Integration Tutorial” link in the wizard to jump straight to the Palo Alto-specific setup walkthrough.

Same one-IP-per-line format with full CIDR + IPv6 support. The platform auto-chunks lists over 130,000 entries into multiple files because of FortiGate’s per-feed limit.

203.0.113.42
198.51.100.0/24
2001:db8::1

CIF (Custom Intelligence Feeds) format with extra columns:

ID,IP,type,confidence,severity,product,comment
TES1,203.0.113.0/24,IP,75,high,high,AS,notes

Used directly by Check Point NGFW Custom Intelligence Feeds.

Security Intelligence feed format - one IP/CIDR per line, plus a side-channel MD5 checksum file for smart fetching:

203.0.113.42
198.51.100.0/24

The MD5 lets the firewall short-circuit the download if the file hasn’t changed.

IP Address Intelligence format with prefix length, list type, and category:

203.0.113.0,24,B1,ELLIO-EDL
198.51.100.0,24,B1,ELLIO-EDL

A custom category is supported - set it on the firewall side and reference it in your security policy.

Individual IPs only. CIDR ranges are expanded into individual addresses up to /16:

203.0.113.42
203.0.113.43
198.51.100.7

Anything larger than /16 is rejected to prevent feeds in the millions of lines.

IP-only, one per line. Same /16 expansion rule as Sophos:

203.0.113.42
198.51.100.7

Plain alias URL table format. One IP or CIDR per line. Consumed by pfBlockerNG:

203.0.113.42
198.51.100.0/24
2001:db8::/32

Alias URL table format, one IP or CIDR per line. IPv4 only - IPv6 entries are dropped on render.

203.0.113.42
198.51.100.0/24

Plain text, one IP or CIDR per line. Compatible with most systems that accept a plain IP list. Use this when you’re shipping the EDL to something that isn’t in the list above (pi-hole-style filters, custom firewalls, allow-only edge nodes, etc.):

203.0.113.42
198.51.100.0/24
2001:db8::1

ELLIO Traefik Middleware Plugin (separate path)

Section titled “ELLIO Traefik Middleware Plugin (separate path)”

Traefik does not consume an EDL URL - it uses a bootstrap token instead, configured on the deployment. The plugin fetches your EDL configuration with that token and refreshes itself in-process.

If your edge is Traefik, follow the Traefik plugin guide instead of picking a firewall format.

Firewall fetch cadence vs. ELLIO update frequency

Section titled “Firewall fetch cadence vs. ELLIO update frequency”

There are two cadences in play:

  • ELLIO update frequency - how often we regenerate the EDL content (5 min … 24 h).
  • Firewall fetch cadence - how often the firewall re-downloads the URL.

End-to-end propagation is roughly the longer of the two. If you set ELLIO to 5 minutes but your Palo Alto fetches every 60 minutes, indicators take up to 60 minutes to apply at the firewall.

Match the two cadences when planning blast-radius for new threats.