Verify Advanced IP Defense Cloud Connectivity
Monitor the health of communication between your enforcement point and the Advanced IP Defense cloud service to ensure reliable threat detection.
| Where Can I Use This? | What Do I Need? |
|---|
- PAN-OS 12.2 and later
- Strata Cloud Manager
|
- Advanced IP Defense license
- Admin access to enforcement point or Strata Cloud Manager
|
Advanced IP Defense depends on continuous communication with the Advanced IP Defense cloud service for
real-time IP attribute lookups, direct-to-IP detection, and allowlist updates. If this
communication degrades, the enforcement point falls back to locally cached data or fails
open, reducing detection coverage.
Cloud Message Types
The enforcement point exchanges two types of messages with the Advanced IP Defense cloud service during normal operation:
- DNS response copies—IP-TTL pairs from A and AAAA records forwarded to the
cloud to build a per-tenant DNS state table. The cloud uses this table to answer
DNS-seen queries during lookup requests.
- Advanced IP Defense lookup requests—Queries for IP attributes and
DNS-seen status when the enforcement point encounters a cache miss.
A healthy deployment shows a steady flow of both message types. A drop in lookup
volume may indicate a connectivity issue, while a spike may indicate that cached
attributes are expiring faster than expected.
Allowlist Updates
The enforcement point periodically pulls two per-tenant allowlist files from a cloud
storage bucket: one for the Advanced IP Defense allowlist and one for the direct-to-IP allowlist. If the
enforcement point can't reach the storage endpoint, it continues to use the most
recently cached version of the allowlists, but entries may become stale over time.
You can verify allowlist freshness by checking the timestamp of the last successful
pull.
Service Status
You can check the overall operational status of the
Advanced IP Defense cloud
service on the
Palo Alto Networks
Service Status Page. The service status can display as Operational,
Degraded Performance, or Service Unavailable.
| Health Indicator | What It Tells You | Where to Check |
|---|
| Cloud lookup volume | Whether the enforcement point is actively querying the cloud for
IP attributes. A sudden drop indicates a connectivity issue or a
misconfiguration. | Advanced IP Defense dashboard (AIPD Cloud Traffic widget) in
Strata Cloud Manager |
| Cloud lookup timeout rate | The percentage of cloud lookups that exceed the configured
timeout. A high timeout rate means more traffic is being fail-opened
without attribute checks. | Threat logs filtered for Advanced IP Defense entries with no
attribute match |
| Allowlist last update timestamp | Whether the enforcement point is successfully pulling fresh
allowlist files from the cloud. A stale timestamp
indicates a connectivity issue to the storage endpoint. | Enforcement point system logs or cloud service status in PAN-OS |
| DNS state table size | Whether the enforcement point DNS cache is approaching maximum
capacity. When the cache is full, the enforcement point fails open
on direct-to-IP detection. | Enforcement point system resources in PAN-OS |
| Cloud service status | Whether the Advanced IP Defense cloud service is
operational, experiencing degraded performance, or
unavailable. | Palo Alto Networks Service Status Page |
