topic Re: The IP quantity limit of a NetworkFeed in Firewall and Security Management

The IP quantity limit of a NetworkFeed

TONYFU — Thu, 09 Oct 2025 05:06:44 GMT

Hello,
the documentation states that a network feed:

A Security Gateway supports up to 500 network feed objects. Each object can hold up to 50,000 IP addresses. There is no limitation on the number of domains per object.
A Security Gateway supports a total of 5,000 objects of these types: Dynamic objects, Updatable objects, Generic Data Center objects, and Network Feed objects. A Security Gateway supports a total of 350,000 IP addresses and 12,500 domains across all of these object types combined.

In my Lab , I can see approximately 140,000 IP entries in the object "IPSUM1".
[Expert@CPSG:0]# dynamic_objects -efo IPSUM1 | wc -l
140842
[Expert@CPSG:0]# dynamic_objects -efo IPSUM1 | tail
range 140830 : 223.255.153.194 223.255.153.194
range 140831 : 223.255.163.249 223.255.163.249
range 140832 : 223.255.177.204 223.255.177.204
range 140833 : 223.255.183.10 223.255.183.10
range 140834 : 223.255.183.18 223.255.183.18

My original understanding was that seeing 140,000 entries was because of rule 2, but due to rule 1, only 50,000 IP could be processed.
However, practical testing seems to show that it is not actually the case.

I applied the network feed object to a policy and tested whether the firewall could block the 60,000th IP.
However, the firewall was still able to block it correctly.
[Expert@CPSG:0]# dynamic_objects -efo IPSUM1 | grep 60000
range 60000 : 103.86.1.22 103.86.1.22

So what exactly does the 50,000 IP in rule1 mentioned here refer to?
Thank you!

Re: The IP quantity limit of a NetworkFeed

PhoneBoy — Fri, 10 Oct 2025 19:40:14 GMT

How are the IPs listed in this file, individually, or in ranges?
Because I think the 50,000 refers to the number of items that refer directly to IPs or networks (by IP/mask or range).
The number of IPs can be much larger, I believe.

Re: The IP quantity limit of a NetworkFeed

the_rock — Sat, 11 Oct 2025 11:24:45 GMT

Interesting you ask, because when I spoke to TAC about it few months ago, guy told me would check internally and advised that documentation was actually wrong, that there was no limit. I believe that is 100% true, since I tested feed with 15M entries, no issues.

I was hoping documentation would be corrected, but not yet.

Best,

Andy

Re: The IP quantity limit of a NetworkFeed

TONYFU — Sat, 11 Oct 2025 11:55:38 GMT

Thank you!

Re: The IP quantity limit of a NetworkFeed

the_rock — Sat, 11 Oct 2025 13:34:15 GMT

Glad we can help!

Re: The IP quantity limit of a NetworkFeed

the_rock — Sat, 11 Oct 2025 17:56:22 GMT

For the context, Fortinet feeds are limited to 32000 entries, so really noticeable difference.

Andy

Re: The IP quantity limit of a NetworkFeed

C0rwin — Mon, 30 Mar 2026 06:53:29 GMT

What about domains limit for network feed?

Daniel

Re: The IP quantity limit of a NetworkFeed

PhoneBoy — Mon, 30 Mar 2026 14:54:06 GMT

The various limits for Network Feeds are in the documentation: https://sc1.checkpoint.com/documents/R82/WebAdminGuides/EN/CP_R82_SecurityManagement_AdminGuide/Content/Topics-SECMG/Network_Feed.htm
For domains specifically, it states: "There is no limitation on the number of domains per object."

Re: The IP quantity limit of a NetworkFeed

C0rwin — Tue, 31 Mar 2026 06:35:48 GMT

But there is also statement - A Security Gateway supports a total of 350,000 IP Addresses and 12,500 domains across all of these object types combined.

So is it possible and supported to use network feed with domains up to the mentioned limit? Any experience with that.

I'm asking about it - because I found on cluster R82 JHF Take_60 huge issue with network feed containing 150k domains - cpu spikes, failovers, lack of responsivness during policy install or feed refresh time.

Daniel

Re: The IP quantity limit of a NetworkFeed

PhoneBoy — Tue, 31 Mar 2026 22:54:20 GMT

You're right, maybe we can fix that contradiction. @Sergei_Shir

Sounds like you're exceeding the limit of 12,500 domains by a factor of 10, which might explain the behavior.
TAC might be able to suggest an adjustment you an make to support that many.

Re: The IP quantity limit of a NetworkFeed

C0rwin — Wed, 01 Apr 2026 06:32:20 GMT

TAC already suggested and we moved public feed to internal one - divided it to many network feeds up to 10k, but it didn't solve the issue. Every update of single network feed with 10k domains is also causing cpu spikes, failovers, cpu soft lockup etc.

TAC suggested RFE but it seems that we need to move from network feed to external ioc feed in TP policy to make it work without impact.

What's a pitty that network feed has such huge limitation.

Daniel.

Re: The IP quantity limit of a NetworkFeed

PhoneBoy — Wed, 01 Apr 2026 14:20:25 GMT

The limits are "total per gateway" not "per feed" which explains why splitting the feeds up didn't work.

Re: The IP quantity limit of a NetworkFeed

C0rwin — Wed, 01 Apr 2026 20:10:19 GMT

So it seems to be really poor mechanism for resolving dns in background written for network feed. I did similar test in demopoint and results are the same:

- network feed with about 150k domains = performance issues, rad errors in fwk.elg etc.

- external ioc feed with the same number of 150k domains working fine, even if by default there is 5 min refresh for feed

Daniel

Re: The IP quantity limit of a NetworkFeed

Ronit_Segal — Sun, 05 Apr 2026 06:55:06 GMT

Please clarify, what is the required correction in the admin guide?

Re: The IP quantity limit of a NetworkFeed

PhoneBoy — Mon, 06 Apr 2026 15:54:28 GMT

Under the "Use Cases" section, the second and third bullet points conflict with each other.
The second bullet point says "no limit" where the third bullet point clearly states there is (not in the object, but at the gateway level).
This is where the confusion lies.
I would remove the statement "There is no limitation on the number of domains per object" to make it more clear.