Advanced IP Defense Security Profiles
Advanced IP Defense security profiles define the IP attribute categories, match
rules, and actions your enforcement point uses to evaluate traffic against real-time IP
intelligence.
| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (Managed by Strata Cloud Manager)
- NGFW (Managed by PAN-OS or the Panorama® management server)
- VM-Series
- Cloud NGFW for AWS
- Cloud NGFW on Azure
- Prisma Access
|
- Advanced IP Defense license
- PAN-OS 12.2 and later
|
An Advanced IP Defense security profile contains a set of match rules that define
which IP attribute categories and tags to evaluate, and the action to take when a match
occurs. You attach profiles to enforcement point zones, and the profile applies to all traffic
entering or leaving the zone.
Profile Structure
Each profile contains:
- Match rules — One or more rules that specify an IP attribute category, an
optional tag filter, and a logical operator. You can match on an entire category
(all tags) or on specific tags within a category. Multiple tags within a single
category are evaluated with an implicit OR. You can combine two categories using
AND or OR operators, and use NOT to exclude a single category or tag.
- IP match field — Specifies whether the profile evaluates the source IP or
destination IP of each session. This setting applies to all rules in the
profile.
- Action — Each rule specifies an action: alert (log and allow),
block (log and drop), or deny (drop without logging).
- Log severity — Configurable per rule to control how the match appears in
your threat logs.
- Cache-miss behavior — Determines how the enforcement point handles traffic when the
cloud lookup has not returned a verdict within the configured timeout (default:
100ms). The default is to skip the profile evaluation and continue to the next
security policy rule. You can configure the profile to drop traffic on cache miss
for strict enforcement.
Rule-Building Logic
When you create match rules, the following constraints apply:
- You can match by an entire category or by individual tags within a
category, but not both in the same rule.
- The Direct to IP (No-DNS) category is a standalone category with no
individual tags. When you select it as a match criterion, it evaluates whether
the connection was made without a preceding DNS resolution.
- The Netblock Owner category supports tag-based matching only. You must
specify individual tags (such as AWS Cloud, GCP Cloud, or CDN) rather than
matching the entire category.
- A NOT operation accepts only one item — either one category or one tag.
This prevents overly complex exclusion rules.
- You can combine two categories or tags using AND or OR operators to
build compound match criteria.
Profile Exceptions
Each profile includes an exceptions tab where you can define entries that bypass
specific checks:
- External Dynamic List (EDL) — Reference an IP-based EDL to allowlist
known-good IP addresses from Advanced IP Defense evaluation.
- No-DNS Bypass — Specify IP addresses, ports, or IP-port combinations for
protocols that legitimately use direct-to-IP connections (such as BGP, SIP, or
STUN). These entries skip the No-DNS check while still allowing other IP attribute
checks to proceed.
Default Profile
The Advanced IP Defense default profile is delivered through the content update
package and contains match rules for all available IP attribute categories with the
action set to alert. This provides immediate visibility into IP-based threats without
blocking traffic, so you can evaluate Advanced IP Defense verdicts before
enforcing block actions.
You can clone the default profile to create custom profiles with specific match rules
and actions tailored to your security requirements.
