Firewall format guide
ELLIO renders every EDL in the format your firewall expects. Pick the one that matches your device on the Configuration step of the deployment wizard.
Quick decision table
| Format | CIDR | IPv4 | IPv6 | Best for |
|---|---|---|---|---|
| Palo Alto | Yes | Yes | Yes | PAN-OS NGFW. Recommended default for any Palo Alto deployment. |
| Fortinet | Yes | Yes | Yes | FortiGate. Lists larger than 130k entries are auto-chunked. |
| Checkpoint | Yes | Yes | Yes | Check Point NGFW Custom Intelligence Feeds. |
| Cisco | Yes | Yes | Yes | Cisco Secure Firewall (FTD / Firepower) Security Intelligence. Includes an MD5 file for smart fetching. |
| F5 | Yes | Yes | Yes | F5 BIG-IP IP Address Intelligence - supports a custom category. |
| pfSense | Yes | Yes | Yes | pfBlockerNG IP feed. |
| OPNsense | Yes | Yes | No | OPNsense alias URL table. IPv4 only. |
| Sophos | No | Yes | No | Sophos. CIDRs are expanded into individual addresses up to /16. |
| ntop | No | Yes | No | ntopng IP blacklist. CIDRs expanded up to /16. |
| Universal | Yes | Yes | Yes | Any system that accepts a plain text list. Fall-back. |
Palo Alto Networks (recommended default)
Industry-standard EDL format. One IP or CIDR per line, IPv4 + IPv6 + CIDR.
203.0.113.42
198.51.100.0/24
2001:db8::1
Use the format card's "Integration Tutorial" link in the wizard to jump straight to the Palo Alto-specific setup walkthrough.
Fortinet FortiGate
Same one-IP-per-line format with full CIDR + IPv6 support. The platform auto-chunks lists over 130,000 entries into multiple files because of FortiGate's per-feed limit.
203.0.113.42
198.51.100.0/24
2001:db8::1
Check Point
CIF (Custom Intelligence Feeds) format with extra columns:
ID,IP,type,confidence,severity,product,comment
TES1,4.4.4.0/24,IP,75,high,high,AS,notes
Used directly by Check Point NGFW Custom Intelligence Feeds.
Cisco Secure Firewall
Security Intelligence feed format - one IP/CIDR per line, plus a side-channel MD5 checksum file for smart fetching:
203.0.113.42
198.51.100.0/24
The MD5 lets the firewall short-circuit the download if the file hasn't changed.
F5 BIG-IP
IP Address Intelligence format with prefix length, list type, and category:
203.0.113.0,24,B1,ELLIO-EDL
198.51.100.0,24,B1,ELLIO-EDL
A custom category is supported - set it on the firewall side and reference it in your security policy.
Sophos
Individual IPs only. CIDR ranges are expanded into individual addresses
up to /16:
203.0.113.42
203.0.113.43
198.51.100.7
Anything larger than /16 is rejected to prevent feeds in the millions of
lines.
ntopng
IP-only, one per line. Same /16 expansion rule as Sophos:
203.0.113.42
198.51.100.7
pfSense
Plain alias URL table format. One IP or CIDR per line. Consumed by
pfBlockerNG:
203.0.113.42
198.51.100.0/24
2001:db8::/32
OPNsense
Alias URL table format, one IP or CIDR per line. IPv4 only - IPv6 entries are dropped on render.
203.0.113.42
198.51.100.0/24
Universal
Plain text, one IP or CIDR per line. Compatible with most systems that accept a plain IP list. Use this when you're shipping the EDL to something that isn't in the list above (pi-hole-style filters, custom firewalls, allow-only edge nodes, etc.):
203.0.113.42
198.51.100.0/24
2001:db8::1
ELLIO Traefik Middleware Plugin (separate path)
Traefik does not consume an EDL URL - it uses a bootstrap token instead, configured on the deployment. The plugin fetches your EDL configuration with that token and refreshes itself in-process.
If your edge is Traefik, follow the Traefik plugin guide instead of picking a firewall format.
Reference firewall fetch cadence vs. ELLIO update frequency
There are two cadences in play:
- ELLIO update frequency - how often we regenerate the EDL content (5 min … 24 h).
- Firewall fetch cadence - how often the firewall re-downloads the URL.
End-to-end propagation is roughly the longer of the two. If you set ELLIO to 5 minutes but your Palo Alto fetches every 60 minutes, indicators take up to 60 minutes to apply at the firewall.
Match the two cadences when planning blast-radius for new threats.