>
    Strata Copilot
    Direct-to-IP Detection
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced IP Defense
    3. Introducing Advanced IP Defense
    4. Direct-to-IP Detection
    Download PDF
    Advanced IP Defense

    Direct-to-IP Detection

    Table of Contents

    Direct-to-IP Detection

    Advanced IP Defense direct-to-IP detection identifies outbound connections made directly to IP addresses without a preceding DNS resolution, exposing potential C2 channels and data exfiltration attempts.
    Attackers and unauthorized applications frequently bypass DNS-based security controls by connecting directly to IP addresses. Malware can communicate with C2 servers through hardcoded IPs, and data exfiltration can occur through direct IP connections to ephemeral cloud addresses that can't be blocked long-term. Direct-to-IP detection applies a zero trust approach to IP-based traffic by flagging any connection where the destination IP was not resolved through DNS.

    How Direct-to-IP Detection Works

    Your enforcement point forwards a copy of DNS response data (IP address and TTL pairs) to the Advanced IP Defense cloud service. The Advanced IP Defense cloud service builds a DNS Seen Table unique to your tenant that tracks every IP address resolved through DNS and when that resolution expires.
    When your enforcement point queries the Advanced IP Defense cloud service about an IP address, the service checks whether that IP appears in your tenant's DNS Seen Table with a valid (non-expired) entry. If the IP has no DNS history or the entry has expired beyond a grace period, the Advanced IP Defense cloud service returns a direct-to-IP verdict. The grace period (currently 300 seconds) accounts for transmission delays and clients that use slightly expired cache entries.
    Direct-to-IP detection applies only to publicly routable IP addresses in outbound traffic. All private IP ranges are allowlisted, so protocols that operate exclusively on internal networks (such as DHCP, mDNS, and NetBIOS) do not trigger false positives. Do not apply direct-to-IP rules to inbound traffic — direct-to-IP detection is designed for outbound sessions where a client initiates a connection without resolving the destination through DNS.

    Profiling Period

    When you first enable Advanced IP Defense on an enforcement point, a seven-day profiling period begins for that device. During this period:
    • The Advanced IP Defense cloud service learns your traffic patterns and identifies legitimate direct-to-IP connections specific to your environment.
    • An offline classification system analyzes direct-to-IP traffic using threat intelligence to distinguish benign connections from malicious ones.
    • Confirmed-benign direct-to-IP traffic is added to a customized allowlist for your enforcement point.
    • Direct-to-IP rules are not enforced during this period to prevent false positives.
    After the profiling period completes, the direct-to-IP rules in your Advanced IP Defense profile begin enforcing. The Advanced IP Defense cloud service continues to monitor traffic patterns and updates the customized allowlist as your environment changes.

    Allowlists

    Advanced IP Defense uses three types of allowlists to reduce false positives and unnecessary cloud lookups:
    • Golden Allowlist — Applied to all customers and contains definitively-benign IP addresses such as well-known DNS resolvers and private IP ranges. Traffic to these IPs bypasses the Advanced IP Defense cloud lookup entirely.
    • Customized Allowlist — Generated per enforcement point based on traffic patterns learned during the profiling period and through ongoing analysis. Traffic to these IPs also bypasses the cloud lookup.
    • Direct-to-IP Allowlist — Contains IP addresses, ports, and IP-port combinations for protocols that legitimately use direct-to-IP connections (such as BGP, SIP, STUN, and BitTorrent). These entries skip only the direct-to-IP check while still allowing other IP attribute checks to proceed.
    Your enforcement point downloads updated allowlists periodically. Entries are prioritized so that if memory constraints require truncation, the most critical entries are retained.

    © 2026 Palo Alto Networks, Inc. All rights reserved.