>
    Strata Copilot
    Create Advanced IP Defense Exceptions and Allowlists in PAN-OS and Panorama
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced IP Defense
    3. Create Advanced IP Defense Exceptions and Allowlists
    4. Create Advanced IP Defense Exceptions and Allowlists in PAN-OS and Panorama
    Download PDF
    Advanced IP Defense

    Create Advanced IP Defense Exceptions and Allowlists in PAN-OS and Panorama

    Table of Contents

    Create Advanced IP Defense Exceptions and Allowlists in PAN-OS and Panorama

    Create exceptions and allowlists within an Advanced IP Defense profile in PAN-OS and Panorama to exclude legitimate traffic from Advanced IP Defense policy rules.
    Exceptions and allowlists in an Advanced IP Defense profile enable you to exclude specific traffic from Advanced IP Defense policy rules. You can create exceptions based on IP addresses, ports, IP-port pairs, or External Dynamic Lists (EDLs) to provide granular control over which traffic is exempted from Advanced IP Defense enforcement.
    1. Log in to the PAN-OS web interface.
    2. Access the Advanced IP Defense profile in PAN-OS or Panorama.
      Select ObjectsSecurity ServicesAdvanced IP Defense to access the Advanced IP Defense profiles.
    3. Select the Advanced IP Defense profile where you want to create exceptions.
      Click on the profile name to open the profile configuration.
    4. Navigate to the exceptions section.
      Select Exceptions to view existing exceptions and create new ones.
    5. Click Add to create a new exception.
      A new exception entry is created with default settings.
    6. Configure IP-based exceptions.
      Enter the IP address or IP address range that you want to exclude from Advanced IP Defense policy rules. You can specify:
      • Single IP address (for example, 192.0.2.1)
      • IP address range (for example, 192.0.2.0/24)
      • Multiple IP addresses separated by commas
    7. (Optional) Configure port-based exceptions.
      Enter the port number or port range that you want to exclude from Advanced IP Defense policy rules. You can specify:
      • Single port (for example, 443)
      • Port range (for example, 8000-8100)
      • Multiple ports separated by commas
    8. (Optional) Configure IP-port pair exceptions.
      Combine IP addresses and ports to create more granular exceptions. For example, you can exclude traffic to a specific IP address on a specific port (for example, 192.0.2.1:443).
    9. (Optional) Configure EDL-based exceptions.
      Select an External Dynamic List (EDL) to use as an exception. This allows you to exclude traffic to IPs contained in the EDL from Advanced IP Defense policy rules. EDL-based exceptions are useful for maintaining dynamic allowlists that are updated automatically.
    10. Set the exception priority.
      If you have multiple exceptions, set the priority order to determine which exception is evaluated first. Higher priority exceptions are evaluated before lower priority exceptions.
    11. Test the exception configuration.
      Verify that the exception is working correctly by testing traffic that should be excluded. Monitor the Advanced IP Defense logs to confirm that traffic matching the exception is not being blocked by policy rules.
    12. Save the exception.
      Click Save to save the exception configuration.
    13. Commit your changes.
      Click Commit to apply the exception to your firewall.

    © 2026 Palo Alto Networks, Inc. All rights reserved.