>
    Strata Copilot
    Advanced IP Defense Licenses
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced IP Defense
    3. Advanced IP Defense Licenses
    Download PDF
    Advanced IP Defense

    Advanced IP Defense Licenses

    Table of Contents

    Advanced IP Defense Licenses

    Learn about the Advanced IP Defense license options and the steps to activate and onboard the service on your enforcement points.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • NGFW (Managed by PAN-OS or Panorama)
    • VM-Series
    • Cloud NGFW for AWS
    • Cloud NGFW on Azure
    • Prisma Access
    • Advanced IP Defense license
    • PAN-OS 12.2 and later
    Palo Alto Networks Advanced IP Defense is a cloud-delivered security service that stops outbound direct-to-IP threats and inbound attacks by providing real-time IP intelligence and direct-to-IP detection. To deploy Advanced IP Defense on your enforcement points, complete the following steps in order:
    1. Review the Advanced IP Defense Setup Prerequisites.
    2. Activate the Advanced IP Defense License.
    3. Configure and deploy Advanced IP Defense.

    Advanced IP Defense License Types

    Advanced IP Defense is available through the following license options. To determine the best option for your environment, contact your Palo Alto Networks sales representative.
    • Standalone — A standalone subscription is available in 1-year, 3-year, and 5-year terms with renewal options. The standalone license uses auth-code activation and supports all NGFW form factors running PAN-OS 12.2 or later.
    • VM-Series Flex—The VM-Series software firewall deployment profile includes Advanced IP Defense.
    • Precision AI Enterprise Bundle—The Precision AI Enterprise bundle includes Advanced IP Defense alongside all subscriptions in the Precision AI Pro bundle. The Precision AI Enterprise bundle license replaces the previous Precision AI Pro bundle license.
    • Enterprise License Agreement (ELA)—The ELA8 bundle includes Advanced IP Defense along with Advanced Threat Prevention, Advanced URL Filtering, Advanced WildFire, Advanced DNS Security, and Prisma Access. If you have an existing ELA1 contract, you can add Advanced IP Defense with an ELA2 add-on license for the remainder of the contract term.
    For FedRAMP Moderate and FedRAMP High environments, Palo Alto Networks offers separate modifier licenses for all Advanced IP Defense license types. Contact your Palo Alto Networks sales representative to obtain the appropriate FedRAMP license.

    What Is Included with an Advanced IP Defense License?

    What is included with Advanced IP Defense depends on the PAN-OS version running on your enforcement point.
    • PAN-OS 12.2 and later
      Enforcement points running PAN-OS 12.2 and later have full access to Advanced IP Defense capabilities.
      CapabilityDescription
      Real-time cloud lookupsOn-demand IP attribute queries to the Advanced IP Defense cloud service.
      Direct-to-IP detectionIdentifies outbound connections to IP addresses without a prior DNS resolution, using a per-tenant DNS state table maintained by Advanced IP Defense.
      Zone-based security profilesAttach profiles to zones for broad coverage across all traffic crossing a zone boundary. Create match rules using IP attribute categories, tags, and boolean logic.
      Granular enforcement actionsConfigure alert, block, or deny actions per match rule, with configurable log severity.
      Local IP attribute cacheCache up to 1 million IP attribute entries locally for low-latency enforcement with configurable cache-miss behavior.
      Allowlist updatesPeriodic per-tenant allowlist downloads from the cloud (Advanced IP Defense allowlist and direct-to-IP allowlist) for reduced false positives.
      Dedicated threat log subtypeA dedicated ip-defense threat log subtype with fields for matched category, tag, profile name, rule name, match direction, and DNS-seen status.
      Content-delivered categories and tagsIP attribute categories and tags delivered through the content update package. New categories and tags appear without a PAN-OS upgrade.
    • PAN-OS 11.1 and 12.1
      Enforcement points running PAN-OS 11.1 through 12.1 receive a subset of Advanced IP Defense intelligence through predefined External Dynamic Lists (EDLs) delivered by the antivirus content package.
      CapabilityDescription
      Predefined EDLsCurated IP threat lists delivered automatically through the AV content package, covering C2 infrastructure, malware-hardcoded IPs, commercial VPNs, proxies, scanners and brute-force IPs, and exposed vulnerable services.
      Security policy rule integrationUse predefined EDLs as source or destination address objects in Security policy rules to block or alert on matching traffic.
      Standard loggingEDL hits are logged in threat logs with the EDL name recorded in the source or destination EDL column.
      PAN-OS 11.1 and 12.1 do not support the following capabilities:
      • Real-time cloud lookups for IP attributes
      • Direct-to-IP (no-DNS) detection
      • Zone-based security profiles with granular match rules
      • Per-category and per-tag enforcement actions
      • Dedicated ip-defense threat log subtype
      • Allowlists maintained by Advanced IP Defense

    © 2026 Palo Alto Networks, Inc. All rights reserved.