Create an Advanced IP Defense Profile (PAN-OS 12.2 and Later)

1. Log in to the
2. Verify that you have an active Advanced IP Defense license.

   Select DeviceLicenses and verify that the Advanced IP Defense license is available and has not expired.
3. Create or update an Advanced IP Defense profile.

   Select ObjectsSecurity ProfilesAdvanced IP Defense and click Add to create a new profile or select an existing profile to edit.

   Enter a name and description for the profile. You can also select a default profile to use as a template.

   Each profile contains:

   • Match rules—One or more rules that specify an IP attribute category, an optional tag filter, and a logical operator.
   • IP match field—Specifies whether the profile evaluates the source IP or destination IP of each session. This setting applies to all rules in the profile.
   • Action—Each rule specifies an action: alert (log and allow), block (log and drop), or deny (drop without logging).
   • Log severity—Configurable per rule to control how the match appears in your threat logs.
   • Cache-miss behavior—On a cache miss, the firewall allows the initial session to pass (fail-open) and asynchronously queries the Advanced IP Defense cloud service for a verdict. Once the cloud responds, the local cache is populated and the policy is enforced on all subsequent sessions matching that IP. If you configure the profile for strict enforcement, the firewall drops traffic on cache miss only while the Advanced IP Defense cloud service is reachable; if the service becomes unreachable, the firewall reverts to fail-open to prevent a network outage.

   A default profile ships with the content update package and contains match rules for all available IP attribute categories with the action set to alert. This gives you immediate visibility into IP-based threats without blocking traffic. You can clone the default profile to create custom profiles tailored to your security requirements.
4. Configure policy rules within the Advanced IP Defense profile.

   Click Add Rule to create rules that match traffic based on IP attributes or direct-to-IP detection. For each rule, specify:

   • IP Match Field—Select whether the rule evaluates the source IP or destination IP of each session. Use source IP to detect inbound threats from known malicious infrastructure. Use destination IP to detect outbound connections to C2 servers, anonymizers, or compromised hosts.
   • Match criteria—Select one or more IP attribute categories (such as Malware & C2, Anonymizers & Proxies, or Direct-to-IP) or individual tags within a category. Use logical operators (AND, OR, NOT) to build compound match conditions.
   • Action—Set to Alert (log and allow), Block (log and drop), or Deny (drop without logging). Start with Alert during initial deployment to evaluate detection accuracy before enabling Block.
   • Log severity—Set the severity level (Critical, High, Medium, Low, or Informational) to control how the match appears in your threat logs and SIEM. Higher severity levels can trigger automated responses through log forwarding profiles.

   When you build match rules, the following constraints apply:

   • You can match by an entire category or by individual tags within a category, but not both in the same rule.
   • The Direct to IP (No-DNS) category has no individual tags. When you select it, the rule evaluates whether the connection occurred without a preceding DNS resolution.
   • The Netblock Owner category supports tag-based matching only. You must specify individual tags (such as AWS Cloud, GCP Cloud, or CDN) rather than matching the entire category.
   • A NOT operation accepts only one item (one category or one tag).
   • You can combine two categories or tags using AND or OR operators to build compound match criteria.

   Rules are evaluated in order from top to bottom. The first matching rule determines the action. Position your most specific, highest-severity rules at the top of the list. See Security Policy for more information about rule ordering and evaluation logic.
5. Configure exceptions and allowlists.

   Click the Exceptions tab to define entries that bypass specific Advanced IP Defense checks. Exceptions prevent false positives for known-good traffic without disabling protection for other connections.

   • External Dynamic List (EDL)—Reference an IP-based EDL to allowlist known-good IP addresses from Advanced IP Defense evaluation. Use this for dynamic infrastructure where IP addresses change frequently (such as your own cloud services or CDN providers). The EDL updates automatically without requiring a commit. See External Dynamic Lists for EDL configuration details.
   • No-DNS Bypass—Specify IP addresses, ports, or IP-port combinations for protocols that legitimately use direct-to-IP connections (such as BGP, SIP, or STUN). These entries skip the No-DNS (direct-to-IP) check while still allowing other IP attribute checks to proceed.

   Exceptions are evaluated before policy rules. If a connection matches an exception, the corresponding check is skipped for that connection.
6. Click OK to save the Advanced IP Defense profile.

   The profile is now created and ready to be attached to security zones.
7. Attach the Advanced IP Defense profile to security zones.

   Select NetworkZones and select the zone where you want to enforce Advanced IP Defense policies. In the zone configuration, select the Advanced IP Defense profile you created.

   You can attach the same profile to multiple zones or create different profiles for different zones based on your security requirements. For example, apply a strict blocking profile to your internet-facing untrust zone and an alert-only profile to internal zones during the initial deployment period.

   See Configure a Zone for more information about zone configuration and profile assignment.
8. Commit your changes.

   Click Commit to apply the Advanced IP Defense configuration to your firewall.
9. Monitor Advanced IP Defense activity.

   Select MonitorLogsThreat to view logs for traffic that matched Advanced IP Defense rules. You can filter logs by IP attributes, direct-to-IP detection, or specific rules to track blocked threats and validate policy effectiveness.