>
    Strata Copilot
    Create Advanced IP Defense Policy Rules
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced IP Defense
    3. Create Advanced IP Defense Policy Rules
    Download PDF
    Advanced IP Defense

    Create Advanced IP Defense Policy Rules

    Table of Contents

    Create Advanced IP Defense Policy Rules

    Create policy rules in an Advanced IP Defense profile to enforce security actions based on IP attributes and direct-to-IP detection.
    Where Can I Use This?What Do I Need?
    • PAN-OS 12.2 and later
    • Strata Cloud Manager
    • Advanced IP Defense license
    • Admin access to firewall or Strata Cloud Manager
    • Advanced IP Defense profile created
    Advanced IP Defense policy rules define how the firewall evaluates and acts on traffic based on real-time IP intelligence. Each rule lives inside an Advanced IP Defense profile that you attach to a security zone. When the firewall processes a connection, it queries the Advanced IP Defense cloud service for the destination (or source) IP's attributes and evaluates each rule in order until a match occurs. This model lets you build a layered, zero-trust approach to IP-based traffic rather than relying on static block lists.
    Rules match traffic against IP attributes organized into seven categories: Anonymizers & Proxies, Netblock Owner, Abuse, Malware & C2, High Risk, Direct-to-IP (No DNS), and Vulnerable Services. Some categories support selecting the entire category as a match condition, while others require you to select at least one specific attribute. For example, you can match all Anonymizers & Proxies traffic as a group or target only Tor Exit Node and Open Proxy individually. Netblock Owner requires you to select specific attributes such as AWS Cloud or Residential ISP because the category is too broad to block as a whole. Direct-to-IP has no individual attributes and can only be selected as a category.
    Each rule specifies an IP match field (source IP or destination IP), one or more match criteria combined with logical operators (AND, OR, NOT), an action (Block, Allow, or Alert), and a log severity level. The log severity level determines how the resulting threat log entry is classified in your logging infrastructure and SIEM. Higher severity levels trigger more prominent alerts in log viewers and can be used to drive automated responses through log forwarding profiles and external integrations. Choose a severity level that reflects the confidence and risk associated with the match criteria.
    • Critical—Reserved for rules that match the highest-confidence, most dangerous threat indicators where immediate action is required. Use for confirmed active command-and-control infrastructure, known botnet controllers, or IP addresses associated with ongoing targeted attacks. Critical log entries typically trigger immediate SOC escalation and automated containment workflows.
    • High—Appropriate for rules that match high-confidence threat categories with a strong likelihood of malicious intent. Use for Malware C2 infrastructure, known exploit servers, and IPs associated with active data exfiltration. High severity entries warrant priority investigation and may trigger automated blocking at upstream network devices.
    • Medium—Suitable for rules that match indicators with moderate confidence or categories that may include both malicious and legitimate traffic. Use for anonymizer and proxy services, high-risk IP ranges, or direct-to-IP connections that could indicate either evasion techniques or legitimate application behavior. Medium severity entries are reviewed during routine threat hunting and triage.
    • Low—Used for rules that provide situational awareness without indicating a confirmed threat. Use for broad netblock owner monitoring, traffic to hosting providers, or connections to IP ranges associated with vulnerable services. Low severity entries support trend analysis and long-term threat intelligence without generating alert fatigue.
    • Informational—Used for visibility-only rules where the match criteria is unlikely to represent a threat but the traffic pattern is worth recording. Use for monitoring baseline traffic to cloud infrastructure, CDN providers, or residential ISP ranges. Informational entries support capacity planning, policy tuning, and false positive analysis without triggering any alert or response workflow.
    You can combine attributes across categories to create precise conditions. For example, a rule that matches Malware C2 AND Direct-to-IP blocks malware that connects to hardcoded command-and-control IPs without DNS resolution, while a rule that matches Public Cloud AND NOT AWS Cloud alerts on traffic to non-AWS cloud infrastructure. The NOT operator is particularly useful for carving out exceptions to broad category-level rules without needing a separate allowlist entry.
    Advanced IP Defense ships with a default profile that provides baseline protection. The default profile contains predefined rules that block high-confidence threat categories such as Malware & C2 and Abuse, alert on medium-confidence categories such as Anonymizers & Proxies, and allow Netblock Owner traffic. You can use the default profile as-is for immediate protection or clone it as a starting point for custom profiles tailored to your environment. All categories and attributes in the default profile, including their IDs and metadata, are delivered through content package updates so that new attributes become available without requiring a PAN-OS upgrade.

    Create Advanced IP Defense Policy Rules in Strata Cloud Manager

    Create policy rules within an Advanced IP Defense profile in Strata Cloud Manager to enforce security policies based on IP attributes and direct-to-IP detection.
    Policy rules within an Advanced IP Defense profile define how the cloud-managed infrastructure enforces security policies based on IP attributes and direct-to-IP detection. Each policy rule specifies match criteria using real-time IP attributes, logical operators to combine conditions, and actions to take when traffic matches the rule.
    1. Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
    2. Access the Advanced IP Defense profile in Strata Cloud Manager.
      Select ConfigurationSecurity ServicesAdvanced IP Defense to access the Advanced IP Defense profiles.
    3. Select the Advanced IP Defense profile where you want to create the policy rule.
      Click on the profile name to open the profile configuration.
    4. Navigate to the policy rules section.
      Select Policy Rules to view existing policy rules and create new ones.
    5. Click Add to create a new policy rule.
      A new policy rule entry is created with default settings.
    6. Configure the match criteria for the policy rule.
      Select the specify the IP attributes that the rule should match.
      Use logical operators (AND, OR) to combine multiple match criteria. For example, you can create a rule that matches traffic from IPs classified as both "Malware C2" AND "Direct-to-IP Detection".
    7. Define the action for the policy rule.
      Choose the action to take when traffic matches the rule:
      • Block—Deny the traffic
      • Allow—Permit the traffic
      • Alert—Log the traffic without blocking
    8. Configure log severity for the policy rule.
      Select the log severity level to control how the rule match appears in your threat logs and SIEM:
      • Critical—Highest-confidence, most dangerous threat indicators where immediate action is required. Use for confirmed active command-and-control infrastructure, known botnet controllers, or IP addresses associated with ongoing targeted attacks.
      • High—High-confidence threat categories with a strong likelihood of malicious intent. Use for Malware C2 infrastructure, known exploit servers, and IPs associated with active data exfiltration.
      • Medium—Moderate confidence indicators that may include both malicious and legitimate traffic. Use for anonymizer and proxy services, high-risk IP ranges, or direct-to-IP connections that could indicate evasion techniques.
      • Low—Situational awareness without a confirmed threat. Use for broad netblock owner monitoring, traffic to hosting providers, or connections to IP ranges associated with vulnerable services.
      • Informational—Visibility-only rules where the match criteria is unlikely to represent a threat but the traffic pattern is worth recording. Use for monitoring baseline traffic to cloud infrastructure, CDN providers, or residential ISP ranges.
    9. Save the policy rule.
      Click Save to save the policy rule configuration.
    10. Commit your changes.
      Click Commit to apply the policy rule to your Strata Cloud Manager configuration.

    Create Advanced IP Defense Policy Rules in PAN-OS and Panorama

    Create policy rules within an Advanced IP Defense profile in PAN-OS and Panorama to enforce security policies based on IP attributes and direct-to-IP detection.
    Policy rules within an Advanced IP Defense profile define how the firewall enforces security policies based on IP attributes and direct-to-IP detection. Each policy rule specifies match criteria using real-time IP attributes, logical operators to combine conditions, and actions to take when traffic matches the rule.
    1. Log in to the
    2. Access the Advanced IP Defense profile in PAN-OS or Panorama.
      Select ObjectsSecurity ServicesAdvanced IP Defense to access the Advanced IP Defense profiles.
    3. Select the Advanced IP Defense profile where you want to create the policy rule.
      Click on the profile name to open the profile configuration.
    4. Navigate to the policy rules section.
      Select Policy Rules to view existing policy rules and create new ones.
    5. Click Add to create a new policy rule.
      A new policy rule entry is created with default settings.
    6. Configure the match criteria for the policy rule.
      Specify the IP attributes that the rule should match. You can select from over 40 real-time IP attributes such as:
      • Anonymizer
      • Botnet
      • High-Risk
      • Malware C2
      • Cloud Provider
      • Direct-to-IP Detection
      Use logical operators (AND, OR) to combine multiple match criteria. For example, you can create a rule that matches traffic from IPs classified as both "Malware C2" AND "Direct-to-IP Detection".
    7. Define the action for the policy rule.
      Choose the action to take when traffic matches the rule:
      • Block—Deny the traffic
      • Allow—Permit the traffic
      • Alert—Log the traffic without blocking
    8. Configure log severity for the policy rule.
      Select the log severity level to control how the rule match appears in your threat logs and SIEM:
      • Critical—Highest-confidence, most dangerous threat indicators where immediate action is required. Use for confirmed active command-and-control infrastructure, known botnet controllers, or IP addresses associated with ongoing targeted attacks.
      • High—High-confidence threat categories with a strong likelihood of malicious intent. Use for Malware C2 infrastructure, known exploit servers, and IPs associated with active data exfiltration.
      • Medium—Moderate confidence indicators that may include both malicious and legitimate traffic. Use for anonymizer and proxy services, high-risk IP ranges, or direct-to-IP connections that could indicate evasion techniques.
      • Low—Situational awareness without a confirmed threat. Use for broad netblock owner monitoring, traffic to hosting providers, or connections to IP ranges associated with vulnerable services.
      • Informational—Visibility-only rules where the match criteria is unlikely to represent a threat but the traffic pattern is worth recording. Use for monitoring baseline traffic to cloud infrastructure, CDN providers, or residential ISP ranges.
    9. Save the policy rule.
      Click Save to save the policy rule configuration.
    10. Commit your changes.
      Click Commit to apply the policy rule to your firewall.

    © 2026 Palo Alto Networks, Inc. All rights reserved.