We are building socket filter lists to allow PAM users access to a limited number of remote hosts after logging on to a target device with a Socket Filter Agent (SFA) installed. The remote hosts are not grouped by IP and we may have to add many specific entries in the hosts list for some socket filter lists. Is there a limit on how many host entries can be added, and if so, what is the limit?
There is no limit when defining or importing socket filter lists, and there is no limit for Windows SFAs. However, UNIX/Linux SFAs have a limit of 4096 entries and will drop and not enforce any list exceeding this limit. The limit should be more than sufficient. If access to a very large number of hosts is to be allowed, it should be possible to define netmasks to allow access to ranges of IPs and keep the length of the list much shorter than the number of devices to which access is allowed. This information is accurate as of CA PAM 2.8 and may change in future releases.