Edit Advanced IP Defense Connectivity Settings in PAN-OS and Panorama

1. Log in to the PAN-OS web interface.
2. Access the Advanced IP Defense connectivity settings.

   In PAN-OS or Panorama, select DeviceSetupContent-ID to access the global connectivity settings for cloud-based security services.
3. Configure the cloud lookup timeout value.

   The cloud lookup timeout determines how long the firewall waits for a response from the Advanced IP Defense cloud service before timing out. The default timeout is 100 milliseconds.

   Enter a timeout value in milliseconds. Consider your network latency and cloud service response times when setting this value. A lower timeout reduces latency but may result in more fail-open scenarios. A higher timeout provides more time for cloud lookups but may impact traffic processing speed.

   If the cloud lookup times out, traffic is allowed by default (fail-open) to ensure business continuity. Adjust the timeout based on your network conditions and security requirements.
4. (Optional) Configure proxy server settings for cloud connectivity.

   If your firewall is deployed behind a proxy server or in an environment that requires proxy authentication, you must configure proxy settings to enable communication with the Advanced IP Defense cloud service.

   Select DeviceSetupServices and configure the proxy server settings:

   • Enter the proxy server IP address or FQDN
   • Specify the proxy server port number
   • Enter proxy authentication credentials if required
   • Enable the option to use proxy for inline cloud services

   The proxy server password must contain a minimum of six characters.
5. Verify network connectivity to Advanced IP Defense cloud service endpoints.

   Ensure that your firewall has network connectivity to the Advanced IP Defense cloud service endpoints. The firewall must be able to reach the cloud service on port 443 (HTTPS) for secure communication.

   You can verify connectivity by:

   • Checking firewall routing to ensure traffic to cloud service endpoints is not blocked
   • Verifying that security policies allow outbound HTTPS traffic to cloud service IPs
   • Confirming that any proxy servers or firewalls between your firewall and the internet allow traffic to the cloud service
6. Configure DNS resolution for cloud service endpoints.

   The firewall must be able to resolve the Advanced IP Defense cloud service domain names to IP addresses. Ensure that your firewall has access to DNS servers that can resolve these domain names.

   Select DeviceSetupServices and verify that DNS servers are configured. You can specify primary and secondary DNS servers to ensure redundancy.
7. Test connectivity to the Advanced IP Defense cloud service.

   After configuring connectivity settings, test the connection to verify that the firewall can reach the Advanced IP Defense cloud service.

   Select DeviceSetupServices and click Test Connectivity to verify that the firewall can successfully communicate with the cloud service. A successful test confirms that your connectivity settings are correct.
8. Monitor cloud service connectivity status.

   After enabling Advanced IP Defense, monitor the connectivity status to ensure the firewall maintains a stable connection to the cloud service.

   Select MonitorSystemCloud Services to view the status of cloud service connections. Check for any connectivity errors or warnings that may indicate network issues.
9. Commit your changes.

   Click Commit to apply the connectivity settings to your firewall.