>
    Strata Copilot
    Advanced IP Defense Setup Prerequisites
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced IP Defense
    3. Advanced IP Defense Setup Prerequisites
    Download PDF
    Advanced IP Defense

    Advanced IP Defense Setup Prerequisites

    Table of Contents

    Advanced IP Defense Setup Prerequisites

    Review the setup requirements and supported platforms for deploying Advanced IP Defense on your enforcement points.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • NGFW (Managed by PAN-OS or Panorama)
    • VM-Series
    • Cloud NGFW for AWS
    • Cloud NGFW on Azure
    • Prisma Access
    • Advanced IP Defense license
    • PAN-OS 12.2 and later
    Before you deploy Advanced IP Defense, verify that your enforcement points meet the setup requirements and run on a supported platform. The setup requirements differ depending on whether your enforcement points are managed by Strata Cloud Manager or by PAN-OS and Panorama directly.
    Advanced IP Defense operates independently of the Advanced DNS Security service. You don't need an Advanced DNS Security license or profile to use Advanced IP Defense.
    Your enforcement points must be able to reach the Advanced IP Defense cloud service over HTTPS (port 443) for real-time IP attribute lookups and content delivery. Palo Alto Networks operates regional service domains across multiple geographies to minimize lookup latency. If your environment restricts outbound traffic, you must allowlist the Advanced IP Defense service domains before deployment.

    Setup Requirements

    Review the requirements for deploying Advanced IP Defense on enforcement points managed by Strata Cloud Manager or Panorama® management server.
    Ensure that your environment meets all of the following requirements before you deploy Advanced IP Defense.
    RequirementManaged by Strata Cloud ManagerStandalone and Managed by Panorama
    PAN-OS versionPAN-OS 12.2 or laterPAN-OS 12.2 or later
    Management VersionStrata Cloud Manager running PAN-OS 12.2 or laterPanorama® management server running PAN-OS 12.2 or later
    LicenseAdvanced IP Defense license associated with your tenant service group (TSG)Advanced IP Defense license associated with each enforcement point serial number
    Content updateLatest content update
    Internet connectivityOutbound Internet access
    DNS visibilityOutbound DNS traffic inspected by the same enforcement point protecting sessions
    LoggingStrata Cloud Manager Log Viewer
    • Panorama with Advanced IP Defense threat log subtype support
    • M-600 log collector

    Supported Platforms

    Review the enforcement point platforms and logging platforms that support Advanced IP Defense.
    All Palo Alto Networks next-generation enforcement points running PAN-OS 12.2 or later support Advanced IP Defense, including high availability (HA) configurations.
    In HA deployments, the Advanced IP Defense local cache does not synchronize between HA peers. After a failover, the newly active enforcement point starts with a cold cache and queries the Advanced IP Defense cloud service for all IP attribute lookups until the cache is repopulated. During this period, cache-miss behavior (default: skip to next rule) applies to all sessions until the cloud returns verdicts.
    Platforms
    PA-440, PA-450, PA-460
    PA-445, PA-455
    PA-450R
    PA-455-5G
    PA-501, PA-505, PA-510, PA-520, PA-540, PA-550, PA-560
    PA-545-POE, PA-555-POE
    PA-1410, PA-1420
    PA-3410, PA-3420, PA-3430, PA-3440
    PA-5410, PA-5420, PA-5430, PA-5440, PA-5445
    PA-5450
    PA-5540, PA-5550, PA-5560, PA-5570, PA-5580
    PA-7500
    VM-50, VM-50 Lite, VM-100, VM-200, VM-300, VM-500, VM-700, VM-1000-HV
    Cloud NGFW for AWS
    Cloud NGFW on Azure
    Prisma Access
    The following table lists the logging platforms that support Advanced IP Defense threat logs through Panorama and log collectors.
    Logging PlatformSupported
    Strata Logging ServiceYes
    M-600Yes
    WF-500Yes

    Regional Service Domains

    Allow access to the Advanced IP Defense regional service domains to enable real-time IP attribute lookups and direct-to-IP detection from your enforcement points.
    Advanced IP Defense uses a globally distributed cloud infrastructure to deliver real-time IP attribute lookups and direct-to-IP detection verdicts. When a firewall encounters a connection that requires a cloud lookup, it communicates with the nearest regional service domain over HTTPS (port 443) to retrieve IP attributes and cache them locally. The firewall automatically connects to the closest regional endpoint to minimize lookup latency.
    To ensure uninterrupted Advanced IP Defense protection, you must allow outbound HTTPS access from your enforcement points to the Advanced IP Defense service domains listed below. If your environment uses a firewall, proxy, or other network security device that restricts outbound traffic, add these domains to your allowlist.

    Global Service Domain

    The global service domain uses anycast routing to direct traffic to the nearest available regional endpoint. This is the default endpoint used by all enforcement points.
    TypeDomain
    Inspection (Global)api.prod.aipd.service.paloaltonetworks.com (port 443)
    Content Delivery (CDN)static.prod.aipd.service.paloaltonetworks.com (port 443)

    Regional Service Domains

    Regional service domains provide localized inspection endpoints. The firewall selects the appropriate regional endpoint based on its configured region or geographic proximity. All regional domains use port 443 (HTTPS).
    LocationDomain
    Johannesburg, South Africaapi-za.prod.aipd.service.paloaltonetworks.com
    Paris, Franceapi-fr.prod.aipd.service.paloaltonetworks.com
    Ashburn, Northern Virginia, USAapi-us-va.prod.aipd.service.paloaltonetworks.com
    Los Angeles, California, USAapi-us-ca.prod.aipd.service.paloaltonetworks.com
    Frankfurt, Germanyapi-de.prod.aipd.service.paloaltonetworks.com
    Singaporeapi-sg.prod.aipd.service.paloaltonetworks.com
    Tokyo, Japanapi-jp.prod.aipd.service.paloaltonetworks.com
    Sydney, Australiaapi-au.prod.aipd.service.paloaltonetworks.com
    London, Englandapi-uk.prod.aipd.service.paloaltonetworks.com
    Eemshaven, Netherlandsapi-nl.prod.aipd.service.paloaltonetworks.com
    Council Bluffs, Iowa, USAapi-us-ia.prod.aipd.service.paloaltonetworks.com
    The Dalles, Oregon, USAapi-us-or.prod.aipd.service.paloaltonetworks.com
    Montreal, Canadaapi-ca.prod.aipd.service.paloaltonetworks.com
    Osasco, São Paulo, Brazilapi-br.prod.aipd.service.paloaltonetworks.com
    Mumbai, Indiaapi-in.prod.aipd.service.paloaltonetworks.com
    Tel Aviv, Israelapi-il.prod.aipd.service.paloaltonetworks.com
    Seoul, South Koreaapi-kr.prod.aipd.service.paloaltonetworks.com
    Qatarapi-qa.prod.aipd.service.paloaltonetworks.com
    Hong Kongapi-hk.prod.aipd.service.paloaltonetworks.com
    China
    The Advanced IP Defense regional service domain in China has two FQDN options:
    • api-cn.prod.aipd.service.paloaltonetworks.com
    • api-hk.prod.aipd.service.paloaltonetworks.com
    Palo Alto Networks recommends using the api-cn.prod.aipd.service.paloaltonetworks.com FQDN. If you experience connectivity or access issues, use the Hong Kong endpoint as a fallback.

    FedRAMP Service Domains

    For deployments operating in FedRAMP environments (Moderate/IL2, High/IL4, or DoD/IL5), use the following service domains instead of the commercial endpoints.
    Impact LevelDomain
    IL2 (FedRAMP Moderate)api.il2.aipd.service.paloaltonetworks.com (port 443)
    IL4 (FedRAMP High)api.il4.aipd.service.paloaltonetworks.com (port 443)
    IL5 (DoD)api.il5.aipd.service.paloaltonetworks.com (port 443)
    Regional FedRAMP endpoints follow the pattern api-<region>.il2.aipd.service.paloaltonetworks.com for IL2 environments. Replace il2 with il4 or il5 for higher impact levels.

    Server Certificates

    All Advanced IP Defense service domains use TLS certificates issued under the following wildcard names. If your environment performs TLS inspection on outbound traffic, ensure these certificate names are trusted.
    • Commercial*.prod.aipd.service.paloaltonetworks.com
    • FedRAMP IL2*.il2.aipd.service.paloaltonetworks.com
    • FedRAMP IL4*.il4.aipd.service.paloaltonetworks.com
    • FedRAMP IL5*.il5.aipd.service.paloaltonetworks.com

    © 2026 Palo Alto Networks, Inc. All rights reserved.