Advanced IP Defense generates threat logs whenever traffic matches a policy rule. You can browse, search, and filter these logs to investigate specific IP-based threats, identify patterns in attacker behavior, and validate that your policy rules are working as intended. Logs are accessible directly on the firewall and through Strata Cloud Manager when log forwarding to Strata Logging Service is configured.

All Advanced IP Defense threat logs share a single unified threat ID and threat category ID, which are delivered through content package updates. Each log entry contains session details (source and destination IP, zone, port, and protocol), the matched IP attributes and their categories, the policy action taken (Block, Allow, or Alert), the log severity level defined in the policy rule, and the Advanced IP Defense profile name. On PAN-OS 12.2 and later, logs include the full set of matched attributes for the IP, providing granular visibility into why the traffic was flagged. On PAN-OS 11.1.x through 12.1.x, logs record the EDL name and the matched IP address.

The Activity Insights threat view in Strata Cloud Manager includes Advanced IP Defense alongside other cloud-delivered security services, allowing you to correlate IP-based threats with DNS, URL, and file-based detections across the same sessions. The threat insights page handles multiple threat categories for IP attributions, so a single IP that matches attributes from several categories (such as both Malware C2 and Direct-to-IP) displays all relevant categories in the log detail. You can also search for a specific IP through IOC Search to view its associated categories and subcategories on the IP Overview page.