Edit Advanced IP Defense Connectivity Settings in PAN-OS and Panorama

1. Log in to the
2. Access the Advanced IP Defense connectivity settings.

   In PAN-OS or Panorama, select DeviceSetupContent-ID to access the global connectivity settings for cloud-based security services.
3. Verify Advanced IP Defense cloud service connectivity status.

   The firewall uses an asynchronous fail-open model for cloud lookups. On a cache miss, the firewall allows the initial session and queries the Advanced IP Defense cloud service asynchronously. Once the verdict is returned, the local cache is populated and the policy is enforced on subsequent sessions. If the Advanced IP Defense cloud service becomes unreachable, the firewall fails open to prevent a network outage.

   Ensure that network connectivity to the Advanced IP Defense cloud service endpoints on port 443 is stable. Verify DNS servers are configured and can resolve Advanced IP Defense cloud service domain names.
4. (Optional) Configure proxy server settings for cloud connectivity.

   If your firewall is deployed behind a proxy server or in an environment that requires proxy authentication, you must configure proxy settings to enable communication with the Advanced IP Defense cloud service.

   Select DeviceSetupServices and configure the proxy server settings:

   • Enter the proxy server IP address or FQDN
   • Specify the proxy server port number
   • Enter proxy authentication credentials if required
   • Enable the option to use proxy for inline cloud services

   The proxy server password must contain a minimum of six characters.
5. Verify network connectivity to Advanced IP Defense cloud service endpoints.

   Ensure that your firewall has network connectivity to the Advanced IP Defense cloud service endpoints. The firewall must be able to reach the Advanced IP Defense cloud service on port 443 (HTTPS) for secure communication.

   You can verify connectivity by:

   • Checking firewall routing to ensure traffic to Advanced IP Defense cloud service endpoints is not blocked
   • Verifying that security policies allow outbound HTTPS traffic to Advanced IP Defense cloud service IPs
   • Confirming that any proxy servers or firewalls between your firewall and the internet allow traffic to the Advanced IP Defense cloud service
6. Configure DNS resolution for Advanced IP Defense cloud service endpoints.

   The firewall must be able to resolve the Advanced IP Defense cloud service domain names to IP addresses. Ensure that your firewall has access to DNS servers that can resolve these domain names.

   Select DeviceSetupServices and verify that DNS servers are configured. You can specify primary and secondary DNS servers to ensure redundancy.
7. Test connectivity to the Advanced IP Defense cloud service.

   After configuring connectivity settings, test the connection to verify that the firewall can reach the Advanced IP Defense cloud service.

   Select DeviceSetupServices and click Test Connectivity to verify that the firewall can successfully communicate with the Advanced IP Defense cloud service. A successful test confirms that your connectivity settings are correct.
8. Monitor Advanced IP Defense cloud service connectivity status.

   After enabling Advanced IP Defense, monitor the connectivity status to ensure the firewall maintains a stable connection to the Advanced IP Defense cloud service.

   Select MonitorSystemCloud Services to view the status of Advanced IP Defense cloud service connections. Check for any connectivity errors or warnings that may indicate network issues.
9. Commit your changes.

   Click Commit to apply the connectivity settings to your firewall.