Firewall format guide
ELLIO renders every EDL in the format your firewall expects. Pick the one that matches your device on the Configuration step of the deployment wizard.
Quick decision table
Section titled “Quick decision table”| Format | CIDR | IPv4 | IPv6 | Best for |
|---|---|---|---|---|
| Palo Alto | Yes | Yes | Yes | PAN-OS NGFW. Recommended default for any Palo Alto deployment. |
| Fortinet | Yes | Yes | Yes | FortiGate. Lists larger than 130k entries are auto-chunked. |
| Checkpoint | Yes | Yes | Yes | Check Point NGFW Custom Intelligence Feeds. |
| Cisco | Yes | Yes | Yes | Cisco Secure Firewall (FTD / Firepower) Security Intelligence. Includes an MD5 file for smart fetching. |
| F5 | Yes | Yes | Yes | F5 BIG-IP IP Address Intelligence - supports a custom category. |
| pfSense | Yes | Yes | Yes | pfBlockerNG IP feed. |
| OPNsense | Yes | Yes | No | OPNsense alias URL table. IPv4 only. |
| Sophos | No | Yes | No | Sophos. CIDRs are expanded into individual addresses up to /16. |
| ntop | No | Yes | No | ntopng IP blacklist. CIDRs expanded up to /16. |
| Universal | Yes | Yes | Yes | Any system that accepts a plain text list. Fall-back. |
Palo Alto Networks (recommended default)
Section titled “Palo Alto Networks (recommended default)”Industry-standard EDL format. One IP or CIDR per line, IPv4 + IPv6 + CIDR.
203.0.113.42198.51.100.0/242001:db8::1Use the format card’s “Integration Tutorial” link in the wizard to jump straight to the Palo Alto-specific setup walkthrough.
Fortinet FortiGate
Section titled “Fortinet FortiGate”Same one-IP-per-line format with full CIDR + IPv6 support. The platform auto-chunks lists over 130,000 entries into multiple files because of FortiGate’s per-feed limit.
203.0.113.42198.51.100.0/242001:db8::1Check Point
Section titled “Check Point”CIF (Custom Intelligence Feeds) format with extra columns:
ID,IP,type,confidence,severity,product,commentTES1,203.0.113.0/24,IP,75,high,high,AS,notesUsed directly by Check Point NGFW Custom Intelligence Feeds.
Cisco Secure Firewall
Section titled “Cisco Secure Firewall”Security Intelligence feed format - one IP/CIDR per line, plus a side-channel MD5 checksum file for smart fetching:
203.0.113.42198.51.100.0/24The MD5 lets the firewall short-circuit the download if the file hasn’t changed.
F5 BIG-IP
Section titled “F5 BIG-IP”IP Address Intelligence format with prefix length, list type, and category:
203.0.113.0,24,B1,ELLIO-EDL198.51.100.0,24,B1,ELLIO-EDLA custom category is supported - set it on the firewall side and reference it in your security policy.
Sophos
Section titled “Sophos”Individual IPs only. CIDR ranges are expanded into individual addresses
up to /16:
203.0.113.42203.0.113.43198.51.100.7Anything larger than /16 is rejected to prevent feeds in the millions of
lines.
ntopng
Section titled “ntopng”IP-only, one per line. Same /16 expansion rule as Sophos:
203.0.113.42198.51.100.7pfSense
Section titled “pfSense”Plain alias URL table format. One IP or CIDR per line. Consumed by
pfBlockerNG:
203.0.113.42198.51.100.0/242001:db8::/32OPNsense
Section titled “OPNsense”Alias URL table format, one IP or CIDR per line. IPv4 only - IPv6 entries are dropped on render.
203.0.113.42198.51.100.0/24Universal
Section titled “Universal”Plain text, one IP or CIDR per line. Compatible with most systems that accept a plain IP list. Use this when you’re shipping the EDL to something that isn’t in the list above (pi-hole-style filters, custom firewalls, allow-only edge nodes, etc.):
203.0.113.42198.51.100.0/242001:db8::1ELLIO Traefik Middleware Plugin (separate path)
Section titled “ELLIO Traefik Middleware Plugin (separate path)”Traefik does not consume an EDL URL - it uses a bootstrap token instead, configured on the deployment. The plugin fetches your EDL configuration with that token and refreshes itself in-process.
If your edge is Traefik, follow the Traefik plugin guide instead of picking a firewall format.
Firewall fetch cadence vs. ELLIO update frequency
Section titled “Firewall fetch cadence vs. ELLIO update frequency”There are two cadences in play:
- ELLIO update frequency - how often we regenerate the EDL content (5 min … 24 h).
- Firewall fetch cadence - how often the firewall re-downloads the URL.
End-to-end propagation is roughly the longer of the two. If you set ELLIO to 5 minutes but your Palo Alto fetches every 60 minutes, indicators take up to 60 minutes to apply at the firewall.
Match the two cadences when planning blast-radius for new threats.