>
    Strata Copilot
    Activate the Advanced IP Defense License
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced IP Defense
    3. Activate the Advanced IP Defense License
    Download PDF
    Advanced IP Defense

    Activate the Advanced IP Defense License

    Table of Contents

    Activate the Advanced IP Defense License

    Activate your Advanced IP Defense license through the Customer Support Portal or a VM-Series deployment profile to enable IP-based threat protection on your enforcement points.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • NGFW (Managed by PAN-OS or Panorama)
    • VM-Series
    • Cloud NGFW for AWS
    • Cloud NGFW on Azure
    • Prisma Access
    • Advanced IP Defense license auth code or Software NGFW credits
    • Customer Support Portal access
    • PAN-OS 12.2 and later
    When you receive your Advanced IP Defense license, Palo Alto Networks sends you an auth code. You use this auth code to activate the license and associate it with your enforcement point serial numbers or tenant service group (TSG). After activation, the enforcement point retrieves the license and enables the Advanced IP Defense configuration options.
    The activation method depends on your licensing model:
    • Standard auth code — For hardware NGFWs, Prisma Access, and VM-Series with model-based licenses. You activate the auth code directly in the Customer Support Portal.
    • Software NGFW deployment profile — For VM-Series with flexible (Software NGFW Credits) licensing. You include Advanced IP Defense as a subscription when you create or update a deployment profile.
    (Enterprise License Agreement) If you have an Enterprise License Agreement (ELA) that includes Advanced IP Defense, contact your Palo Alto Networks sales representative for the ELA auth code and activation instructions. You activate ELA subscriptions through the ELA activation workflow in the CSP rather than the standard auth code flow.

    NGFW and Panorama

    Activate your Advanced IP Defense license using an auth code in the Customer Support Portal and retrieve it on your enforcement point.
    Use this procedure to activate an Advanced IP Defense license on hardware NGFWs, Prisma Access, or VM-Series firewalls with model-based licenses. You activate the auth code in the Customer Support Portal (CSP), then retrieve the license on the enforcement point.
    1. Log in to the Palo Alto Networks Customer Support Portal (CSP).
    2. Select AssetsActivate/Provision Subscriptions and Add-ons.
    3. Enter the auth code from your Advanced IP Defense order and choose Submit.
    4. Select the enforcement point serial number to associate with the Advanced IP Defense license and choose Activate.
      If you have multiple enforcement points, repeat this step for each serial number you want to license. If your license covers multiple enforcement points, you can assign each license to a different serial number or allocate multiple licenses to the same tenant service group (TSG).
    5. Retrieve the license on the enforcement point.
      For enforcement points managed by PAN-OS directly, select DeviceLicenses and choose Retrieve license keys from license server.
      For enforcement points managed by Strata Cloud Manager, Strata Cloud Manager retrieves the license automatically after you activate it in the CSP and the next synchronization cycle completes.
      For enforcement points managed by Panorama, push the license retrieval from PanoramaDevice DeploymentLicenses.
    6. Install the latest content update on the enforcement point.
      The content update delivers the Advanced IP Defense IP attribute category definitions and the default Advanced IP Defense security profile. Without the latest content, you cannot access the Advanced IP Defense configuration options or the default profile.
      For enforcement points managed by PAN-OS directly, select DeviceDynamic Updates and choose Check Now, then install the latest Applications and Threats update.
    7. Configure and deploy Advanced IP Defense on your enforcement points.
      After activating the license and installing the latest content update, you can create or assign an Advanced IP Defense security profile and attach it to one or more enforcement point zones.

    VM-Series (Software NGFW Credits)

    Include Advanced IP Defense as a subscription in a VM-Series Software NGFW deployment profile to activate the license on flexible VM-Series firewalls.
    If you license your VM-Series firewalls with Software NGFW Credits (flexible licensing), you activate Advanced IP Defense by including it as a subscription in a deployment profile. The deployment profile defines the vCPU count, security subscriptions, and management options for your VM-Series firewalls. When you create or update a deployment profile and select Advanced IP Defense, the system deducts the appropriate credits from your pool and generates an auth code that includes the Advanced IP Defense entitlement.
    1. Log in to the Palo Alto Networks Customer Support Portal (CSP).
    2. Select ProductsSoftware NGFW CreditsCreate Deployment Profile.
      If you want to add Advanced IP Defense to an existing deployment profile instead, select Manage Deployment Profiles, locate the profile, and choose Edit.
    3. Choose VM-Series as the firewall type and click Next.
    4. Choose Flexible vCPUs and select PAN-OS 12.2 or later as the version, then click Next.
      Advanced IP Defense requires PAN-OS 12.2 or later. If you select an earlier version, Advanced IP Defense does not appear in the subscription list.
    5. Configure the deployment profile settings.
      Enter the following:
      • Profile Name — A descriptive name for the profile.
      • Number of Firewalls — The number of VM-Series firewalls this profile deploys. Credits are deducted only when you deploy a firewall.
      • Planned vCPU/Firewall — The number of vCPUs per firewall.
    6. In Customize Subscriptions, select Advanced IP Defense.
      The subscription list shows all available security services. Select Advanced IP Defense to include it in this deployment profile. You can also select other subscriptions (such as Advanced Threat Prevention, Advanced URL Filtering, Advanced WildFire, or Advanced DNS Security) based on your security requirements.
    7. Calculate Estimated Cost to review the credit total.
      Verify that your credit pool has sufficient credits to cover the Advanced IP Defense subscription along with your other selected services.
    8. Create Deployment Profile.
      The CSP generates a deployment auth code (starts with "D") that includes your Advanced IP Defense entitlement. Note this auth code for use when you register your VM-Series firewalls.
    9. Register and deploy your VM-Series firewalls using the deployment profile auth code.
      When you bootstrap or register a VM-Series firewall with this auth code, the firewall automatically retrieves all subscriptions included in the deployment profile, including Advanced IP Defense. For the full registration and deployment workflow, see Activate the Deployment Profile.
    10. Install the latest content update on the VM-Series firewall.
      The content update delivers the Advanced IP Defense IP attribute category definitions and the default security profile. Select DeviceDynamic Updates and choose Check Now, then install the latest Applications and Threats update.

    © 2026 Palo Alto Networks, Inc. All rights reserved.