Create an Advanced IP Defense Profile (PAN-OS 11.1.x and Later)

1. Log in to the
2. Verify that you have an active Advanced IP Defense license.

   Select DeviceLicenses and verify that the Advanced IP Defense license is available and has not expired.
3. Update to the latest content package.

   Select DeviceDynamic Updates and check for the latest antivirus content release. The Advanced IP Defense EDLs are delivered through this package. See Keep Your Firewall Content Current for scheduling automatic content updates.
4. Verify that the Advanced IP Defense EDLs are available.

   Select ObjectsExternal Dynamic Lists and look for the predefined Advanced IP Defense EDLs. The following EDLs are delivered through the content package:

   EDL Name	Description	Standard Tier	Full Tier
   Adv. IP Defense: C2 infrastructure	IPs hosting C2 services or bound to C2 domains. Covers active command-and-control server infrastructure.	5,000	5,000
   Adv. IP Defense: Hardcoded in malware	IPs hardcoded in malware samples or appearing in exploitation payload shellcode.	1,000	1,000
   Adv. IP Defense: VPN	IPs owned by commercial VPN service providers.	5,000	10,000
   Adv. IP Defense: Proxies	IPs hosting proxy services such as HTTP, SOCKS, OpenVPN, and V2Ray.	2,000	60,000
   Adv. IP Defense: Scanner and brute-force	IPs conducting scanning or brute-force activities.	1,000	20,000
   Adv. IP Defense: Exposed vulnerable services	IPs hosting publicly reachable services vulnerable to known CVEs or exploits.	2,000	4,000

   The AV content package delivers the same set of EDL files to all platforms. At install time, the system automatically trims each list to the appropriate size based on your hardware platform's capacity. You do not need to select a tier manually. Standard tier platforms (such as PA-3200, PA-3400, PA-3500, and PA-5500 series) receive a condensed record set, while Full tier platforms (such as PA-1400, PA-5200, PA-5400, PA-7500 series, VM-Series, and Prisma Access) receive the complete record set.

   An IP address appears in only one EDL even if it has multiple attributes. When an IP qualifies for multiple lists, it is placed in the highest-severity list based on the following priority (highest to lowest): C2 infrastructure, Hardcoded in malware, VPN, Proxies, Scanner and brute-force, Exposed vulnerable services.
5. Create security policy rules that reference the Advanced IP Defense EDLs.

   Select PoliciesSecurity and create a new security policy rule for each Advanced IP Defense EDL you want to enforce. See Create a Security Policy Rule for detailed instructions on configuring security policy rules.

   For each rule:

   • In the Source or Destination tab, click Add and select the Advanced IP Defense EDL. Use the Source Address field to match inbound traffic from malicious IPs, or the Destination Address field to match outbound traffic to malicious IPs.
   • In the Actions tab, set the action to Deny (block and drop) or Allow with logging enabled (alert-only mode for initial monitoring).
   • In the Actions tab, enable Log at Session End and attach a log forwarding profile to forward matches to your SIEM or Strata Logging Service.

   Position the Advanced IP Defense EDL rules before your general allow rules in the policy rulebase to ensure they are evaluated first. See Security Policy for more information about rule ordering and evaluation.
6. Commit your changes.

   Click Commit to apply the security policy rules to your firewall.
7. Monitor EDL-based threat activity.

   Select MonitorLogsTraffic to view logs for traffic that matched the Advanced IP Defense EDL rules. Filter by the rule name or use the destination/source EDL columns to identify which EDL triggered the match.