DEAG and DEAO Maximums:

GrahamBarnes

We manage several hundred TZ's and NSA's, both Gen6 & 7

We use Dynamic External Address Groups to whitelist FQDNs from GAV, DPI-SSL, and App Control services.

This works great, however we seem to have reached a limit.

According to https://www.sonicwall.com/support/knowledge-base/what-are-dynamic-external-objects-groups-and-how-can-we-configure-it/200507105852280/

DEAG and DEAO Maximums:

Maximum DEAGs:

The maximum number of DEAGs, including both IP address and FQDN types, is 25% of the total number of address groups supported by the device.

The maximum number of DEAGs that can be created cannot exceed the number of address groups remaining before exceeding the total number supported on the firewall. For example, if a device supports 1024 Address Groups and you are using only 20 Address Groups, then 256 DEAGs (25% of 1024) can be created. However, if you have already manually created 1000 Address Groups, then only 24 DEAGs can be created.

Maximum DEAOs:

The maximum number of IP address type DEAOs is 25% of the total number of address objects supported by the device.

The maximum number of FQDN type DEAOs is 50% of the total number of address objects supported by the device.

The maximum number of DEAOs that can be created cannot exceed the number of address objects remaining before exceeding the total number supported on the firewall.

My question is:

Where can I find a data sheet that shows all the Firewalls and the DEAG/DEAO that each support?

Thanks

Graham

Saravanan

Hi @GrahamBarnes,

Thank you for visiting SonicWall Community.

Unfortunately, I don't think so that your requested information is handy available on the Datasheet. But this info can be procured from the SonicWall's TSR file. The info varies with firewall models and hence it is dynamic depending upon the hardware.

https://www.sonicwall.com/support/knowledge-base/how-can-i-download-required-tech-support-files-tsr-settings-gui-logs-trace-logs/170503698742108/

1. Please download the TSR file from SonicWall as per above link.
2. Open up the TSR file in Notepad or Notepad++.
3. Search for keyword Address Objects_START and you could see the supported values for Max objects and Max groups.

Please try and let me know if this helps.

GrahamBarnes

Hi Saravanan,

That just what I need.

Thanks

Graham

Saravanan

You are most welcome @GRAHAMBARNES. It was a pleasure helping you. Have a good day!!!

webbdj

On a further comment on the limitations of DEAG objects:

1. Sonicwall apparently does not like something about AWS hosting. I had to take my hosting of the DAG objects elsewhere.
2. The number of address lines in the TXT file seem to have a limit somewhere around 100 or so. I haven't been able to determine exactly what that limit is yet, but I cannot load the entire list of Microsoft subnets, which is somewhere around 160-180 as of this date.
3. There seems to be a limit (unpublished) of FIVE DEAG object entries on some of the TZ500 firewalls. I haven't had an opportunity to try other models yet, but that is very disappointing... My goal was to provide a central place to manage these common access lists, and between Microsoft, AKAMAI, Other CDN Networks, Voice providers (Vonage/RingCentral, etc), AV companies, 2FA/Auth Providers (DUO, DSO, Okta, etc), I have a need to publish more than just five DEAG lists to a given firewall. The percentage rule does not seem to apply... I tried it on a brand new TZ500 with no other groups added and it still stopped me at five...
4.