| Cloud lookup not returning verdicts | The firewall is querying the Advanced IP Defense cloud service asynchronously but is not receiving verdicts to populate the local cache. The firewall continues to fail open on cache misses, allowing potentially malicious initial sessions to pass. | Verify network connectivity to the Advanced IP Defense cloud service endpoints on port 443. Check whether a proxy server is required and properly configured. Investigate network routing and firewall policies that may block outbound connectivity. |
| DNS cache at maximum capacity | The firewall's local DNS cache reached its maximum capacity for storing DNS response records. The firewall fails open on direct-to-IP detection and doesn't take action on direct-to-IP traffic until capacity is available. | Monitor DNS cache utilization. Review whether all zones require direct-to-IP detection or if you can limit it to high-risk zones. |
| IP not in cloud database | The Advanced IP Defense cloud service has no attributes for the queried IP. Not all publicly routable IPs have assigned attributes. | No action required. This is expected behavior for IPs that have not been observed in threat intelligence feeds or classified by the Advanced IP Defense cloud service. |
| Private IP address | The destination IP is a private (RFC 1918) address. Advanced IP Defense only evaluates publicly routable IPv4 addresses. Private IPs are automatically allowed without any cloud lookup or attribute check. | No action required. This is expected behavior. Advanced IP Defense is designed to protect against threats on public IP address space only. |
| IP in Advanced IP Defense allowlist | The destination IP matches an entry in the Advanced IP Defense allowlist. The firewall skips the attribute lookup entirely. | Review the Advanced IP Defense allowlist entries if you believe a malicious IP is being allowed. Contact Palo Alto Networks Support if you believe an allowlist entry is incorrect. |
| IP in direct-to-IP allowlist | The destination IP or port matches an entry in the direct-to-IP allowlist, causing the firewall to skip the direct-to-IP detection check. Other IP attribute checks still apply. | Review the direct-to-IP allowlist if you believe direct-to-IP connections to a specific IP should be flagged. |
| Stale allowlist data | The firewall can't reach the cloud to pull updated allowlist files. It continues using the most recently cached version, but entries may be outdated. | Verify network connectivity to the cloud endpoint. Check whether firewall security policies or proxy configurations are blocking outbound access. |
| Allowlist truncated due to memory limits | The firewall's available memory can't hold the full per-tenant allowlist. Lower-priority entries are dropped. | Review the firewall's memory utilization. |
| No Advanced IP Defense profile attached to zone | Traffic passes through a security zone that doesn't have an Advanced IP Defense profile attached. No attribute lookup or direct-to-IP detection occurs for traffic in that zone. | Verify that an Advanced IP Defense profile is attached to all security zones where you want IP-based threat protection. |
| EDL not referenced in security rules (PAN-OS 11.1.x and later) | On PAN-OS 11.1.x and later, Advanced IP Defense uses predefined EDLs. If no security policy rule references these EDLs, traffic to malicious IPs isn't blocked. | Verify that your security policy rules reference the predefined Advanced IP Defense EDLs in the source or destination address fields. |
| Direct-to-IP false positive after DNS TTL expiration | A connection to a previously-resolved IP is flagged as direct-to-IP because the DNS record's TTL expired. The client is connecting to a cached IP without re-resolving DNS. | If the flagged IP is a known service your organization uses, add it to the direct-to-IP allowlist as an IP-based exception. |
| Legitimate protocol flagged as direct-to-IP | Protocols such as BGP, SIP, STUN, or MQTT connect directly to IPs by design and are flagged as direct-to-IP connections. | Add the protocol's port to the direct-to-IP allowlist as a port-based exception. |
| Content package outdated | The content package on the firewall is outdated, which means the category and attribute definitions may not reflect the latest Advanced IP Defense capabilities. | Install the latest content package on the firewall or schedule automatic content updates. |
| Shared IP hosting causes missed detections | A malicious C2 server is hosted on a shared IP that also hosts legitimate domains. Because DNS resolution to the shared IP prevents direct-to-IP flagging, the C2 connection is not detected as direct-to-IP. | Rely on IP attribute-based rules (such as Malware C2 or High Risk categories) to detect and block connections to known malicious IPs regardless of DNS history. |
