Enable Advanced IP Defense (PAN-OS 12.1.x and 11.2.x)

1. Log in to your firewall or Panorama.

   Use your admin credentials to access the web interface.
2. Verify that you have an active Advanced IP Defense license.

   Select DeviceLicenses and verify that the Advanced IP Defense license is available and has not expired.
3. Update to the latest content package.

   Select DeviceDynamic Updates and check for the latest content release. The Advanced IP Defense EDLs are delivered through the content package.
4. Verify that the Advanced IP Defense EDLs are available.

   Select ObjectsExternal Dynamic Lists and look for predefined EDLs with names containing "Advanced IP Defense" or "AIPD". These EDLs are available in two sizes (16K and 100K) to accommodate different hardware platform capacity limits.
5. Create security policy rules that reference the Advanced IP Defense EDLs.

   Select PoliciesSecurity and create or edit a security policy rule. In the rule configuration:

   • Set the source and destination addresses as needed
   • In the destination address field, add the Advanced IP Defense EDL you want to use
   • Specify the action (Allow, Deny, or Alert)
   • Configure logging to track EDL hits
6. Configure the rule action.

   For inbound traffic, you can block traffic from anonymizers and proxies. For outbound traffic, you can block traffic to malware C2 servers and vulnerable services. Choose the appropriate action based on your security requirements.
7. Enable logging for the rule.

   In the rule configuration, enable logging so that you can track when traffic matches the Advanced IP Defense EDL. This provides visibility into blocked threats.
8. Commit your changes.

   Click Commit to apply the security policy rules to your firewall.
9. Monitor EDL hits and traffic logs.

   Select MonitorLogsTraffic to view logs for traffic that matched the Advanced IP Defense EDL rules. The EDL name will be displayed in the source EDL or destination EDL columns of the logs.