Enable Advanced IP Defense
Learn how to enable Advanced IP Defense on Strata Cloud Manager, PAN-OS, and Panorama to protect against IP-based threats.
| Where Can I Use This? | What Do I Need? |
|---|
- PAN-OS 12.2 and later
- Strata Cloud Manager
- PAN-OS 12.1.x and 11.2.x (EDL-based)
|
- Advanced IP Defense license
- Network connectivity to Advanced IP Defense cloud service
|
Advanced IP Defense is a cloud-delivered security service that provides real-time, context-aware IP address inspection and enforcement. It closes a critical security gap by protecting against threats that bypass traditional DNS and URL-based controls by operating directly at the IP layer.
The service addresses two major attack vectors. Outbound threats occur when malware establishes direct-to-IP connections to exfiltrate data or maintain Command & Control (C2) communications, bypassing DNS and URL inspection controls. Inbound threats involve attackers using large-scale automation, proxies, and anonymizers to perform scanning, reconnaissance, and exploitation of network resources.
Advanced IP Defense leverages over 40 dynamic, real-time IP attributes—such as Anonymizer, Botnet, High-Risk, Malware C2, and Cloud Provider classifications—to enable granular, context-aware security policies. By correlating traffic with DNS resolution data, the service detects "direct-to-IP" connections (connections without prior DNS resolution) and applies Zero-Trust IP policies to block suspicious activity while allowing legitimate business traffic.
The service provides direct-to-IP detection to identify outbound connections that bypass DNS resolution, a common technique used by malware to establish C2 channels or exfiltrate data. Advanced IP Defense enforces policies based on over 40 real-time IP attributes, including anonymizers, proxies, cloud providers, malware C2 servers, and vulnerable services. Context-aware blocking distinguishes between legitimate traffic to shared infrastructure (like AWS or CDNs) and malicious connections by tracking DNS resolution history. The service uses allowlists and DNS caching to minimize false positives while maintaining high detection accuracy, reducing the operational burden of managing static IP blocklists. Finally, Advanced IP Defense maintains a global IP attributes database built from multiple threat intelligence sources, ensuring up-to-date threat information without requiring manual feed management.
For PAN-OS 12.2 and later or Strata Cloud Manager, you configure Advanced IP Defense through a zone-based Advanced IP Defense profile that allows you to define security policies based on IP attributes and direct-to-IP detection. The firewall maintains a local cache of IP attributes and DNS resolution history to minimize cloud lookups and reduce latency. When a cache miss occurs, the firewall queries the Advanced IP Defense cloud service for IP attributes and direct-to-IP detection results. If the cloud lookup times out, traffic is allowed by default (fail-open) to ensure business continuity.
For customers on PAN-OS 12.1.x and 11.2.x releases, Advanced IP Defense is available through a backward compatibility solution that delivers Advanced IP Defense intelligence via predefined External Dynamic Lists (EDLs). These lists are automatically delivered through existing content update channels and contain a curated subset of high-risk malicious IPs identified by the cloud security engines. By integrating directly into your existing security policies, these EDLs offer visibility into blocked attacks without requiring the latest AIPD security profiles or Gen-4 hardware. This ensures that legacy environments maintain a baseline defense against rapidly evolving IP-based threats until they can migrate to full profile-based solutions. The EDLs are available in two sizes (16K and 100K) to accommodate different hardware platform capacity limits, and you can use them in your existing security rules to block traffic based on malicious IP addresses. Note that this backward compatibility solution does not support direct-to-IP detection, real-time lookup, granular profile-based controls, or enhanced logging and reporting available in the full Advanced IP Defense implementation.
Advanced IP Defense supports several common use cases. You can prevent outbound C2 (direct-to-IP) by blocking malware from communicating with Command & Control servers using hardcoded IP addresses that bypass DNS inspection. You can secure shared infrastructure by allowing legitimate traffic to cloud providers and CDNs while blocking malicious connections to the same shared IPs. You can block inbound attacks to protect internet-facing gateways from automated attacks using anonymization services like Tor, VPNs, and proxies. Finally, you can consolidate threat intelligence by ingesting custom threat intelligence and third-party feeds through cloud-hosted EDLs, eliminating the need for on-premises feed management infrastructure.
Enable Advanced IP Defense (Cloud Management)
Configure Advanced IP Defense in Strata Cloud Manager to enable real-time IP address inspection and enforcement for Prisma Access.
| Where Can I Use This? | What Do I Need? |
|---|
- Strata Cloud Manager
- Prisma Access
|
- Advanced IP Defense license
- Prisma Access subscription
- Admin access to Strata Cloud Manager
|
Advanced IP Defense in Strata Cloud Manager provides cloud-based IP address inspection and enforcement for Prisma Access deployments. This enables you to protect remote users and cloud-connected resources against IP-based threats using dynamic IP attributes and direct-to-IP detection.
Log in to Strata Cloud Manager.
Verify that you have an active Advanced IP Defense license.
Select and check the license usage terms link in the License panel. Verify that the Advanced IP Defense license is active.
Create or update an Advanced IP Defense profile.
Select and click Add to create a new profile or select an existing profile to edit.
Enter a name and description for the profile.
Configure policy rules within the Advanced IP Defense profile.
Click Add Rule to create rules that match traffic based on IP attributes or direct-to-IP detection. For each rule, specify:
- IP Match Field (source IP or destination IP)
- Match criteria (IP attributes, categories, or NO_DNS for direct-to-IP detection)
- Action (Allow, Alert, or Block)
- Log severity level
You can combine multiple criteria using AND, OR, or NOT operators to create complex rules.
Configure exceptions and allowlists.
Click the Exceptions tab to configure exceptions for known benign traffic. You can add:
- IP-based exceptions
- Port-based exceptions
- IP-port pair exceptions
- EDL-based exceptions
Exceptions allow you to bypass Advanced IP Defense checks for specific traffic patterns.
Click
OK to save the Advanced IP Defense profile.
The profile is now created and ready to be attached to security zones or Prisma Access gateways.
Attach the Advanced IP Defense profile to security zones or gateways.
Select and select the zone where you want to enforce Advanced IP Defense policies. Attach the Advanced IP Defense profile you created.
Commit your changes.
Click Commit to apply the Advanced IP Defense configuration.
Monitor Advanced IP Defense activity.
Select to view logs for traffic that matched Advanced IP Defense rules. You can filter logs by IP attributes, direct-to-IP detection, or specific rules to track blocked threats and validate policy effectiveness.
After enabling Advanced IP Defense, monitor the logs regularly to track blocked threats and validate policy effectiveness. You can create additional profiles for different security zones or refine your existing rules based on traffic patterns and security requirements.
PAN-OS & Panorama
Enable Advanced IP Defense on PAN-OS 12.2 and later or on PAN-OS 12.1.x and 11.2.x using predefined EDLs.
Enable Advanced IP Defense (PAN-OS 12.2 and Later)
Configure Advanced IP Defense on your firewall to enable real-time IP address inspection and enforcement based on IP attributes and direct-to-IP detection.
| Where Can I Use This? | What Do I Need? |
|---|
- PAN-OS 12.2 and later
- Panorama
|
- Advanced IP Defense license
- Network connectivity to Advanced IP Defense cloud service
- Admin access to firewall or Panorama
|
Advanced IP Defense provides real-time IP address inspection and enforcement to protect against threats that bypass traditional DNS and URL-based controls. By enabling Advanced IP Defense, you can enforce policies based on over 40 dynamic IP attributes and detect direct-to-IP connections that indicate potential malware or data exfiltration attempts.
Log in to your firewall or Panorama.
Use your admin credentials to access the web interface.
Verify that you have an active Advanced IP Defense license.
Select and verify that the Advanced IP Defense license is available and has not expired.
Create or update an Advanced IP Defense profile.
Select and click Add to create a new profile or select an existing profile to edit.
Enter a name and description for the profile. You can also select a default profile to use as a template.
Configure policy rules within the Advanced IP Defense profile.
Click Add Rule to create rules that match traffic based on IP attributes or direct-to-IP detection. For each rule, specify:
- IP Match Field (source IP or destination IP)
- Match criteria (IP attributes, categories, or NO_DNS for direct-to-IP detection)
- Action (Allow, Alert, or Block)
- Log severity level
You can combine multiple criteria using AND, OR, or NOT operators to create complex rules.
Configure exceptions and allowlists.
Click the Exceptions tab to configure exceptions for known benign traffic. You can add:
- IP-based exceptions
- Port-based exceptions
- IP-port pair exceptions
- EDL-based exceptions
Exceptions allow you to bypass Advanced IP Defense checks for specific traffic patterns.
Click
OK to save the Advanced IP Defense profile.
The profile is now created and ready to be attached to security zones.
Attach the Advanced IP Defense profile to security zones.
Select and select the zone where you want to enforce Advanced IP Defense policies. In the zone configuration, attach the Advanced IP Defense profile you created.
Commit your changes.
Click Commit to apply the Advanced IP Defense configuration to your firewall.
Monitor Advanced IP Defense activity.
Select to view logs for traffic that matched Advanced IP Defense rules. You can filter logs by IP attributes, direct-to-IP detection, or specific rules to track blocked threats and validate policy effectiveness.
After enabling Advanced IP Defense, you can create additional profiles for different security zones or refine your existing rules based on traffic patterns and security requirements. Monitor the logs regularly to ensure your policies are effective and adjust rules as needed.
Enable Advanced IP Defense (PAN-OS 12.1.x and 11.2.x)
Configure Advanced IP Defense on PAN-OS 12.1.x and 11.2.x using predefined External Dynamic Lists (EDLs) to block malicious IP addresses.
| Where Can I Use This? | What Do I Need? |
|---|
- PAN-OS 12.1.x
- PAN-OS 11.2.x
- Panorama
|
- Advanced IP Defense license
- Latest content package installed
- Admin access to firewall or Panorama
|
For PAN-OS 12.1.x and 11.2.x, Advanced IP Defense is available through predefined External Dynamic Lists (EDLs) that are automatically delivered via content updates. These EDLs contain a curated subset of high-risk malicious IP addresses identified by the Advanced IP Defense cloud service, allowing you to block threats without requiring the latest AIPD security profiles.
Log in to your firewall or Panorama.
Use your admin credentials to access the web interface.
Verify that you have an active Advanced IP Defense license.
Select and verify that the Advanced IP Defense license is available and has not expired.
Update to the latest content package.
Select and check for the latest content release. The Advanced IP Defense EDLs are delivered through the content package.
Verify that the Advanced IP Defense EDLs are available.
Select and look for predefined EDLs with names containing "Advanced IP Defense" or "AIPD". These EDLs are available in two sizes (16K and 100K) to accommodate different hardware platform capacity limits.
Create security policy rules that reference the Advanced IP Defense EDLs.
Select and create or edit a security policy rule. In the rule configuration:
- Set the source and destination addresses as needed
- In the destination address field, add the Advanced IP Defense EDL you want to use
- Specify the action (Allow, Deny, or Alert)
- Configure logging to track EDL hits
Configure the rule action.
For inbound traffic, you can block traffic from anonymizers and proxies. For outbound traffic, you can block traffic to malware C2 servers and vulnerable services. Choose the appropriate action based on your security requirements.
Enable logging for the rule.
In the rule configuration, enable logging so that you can track when traffic matches the Advanced IP Defense EDL. This provides visibility into blocked threats.
Commit your changes.
Click Commit to apply the security policy rules to your firewall.
Monitor EDL hits and traffic logs.
Select to view logs for traffic that matched the Advanced IP Defense EDL rules. The EDL name will be displayed in the source EDL or destination EDL columns of the logs.
After enabling Advanced IP Defense EDLs, monitor the logs regularly to track blocked threats and validate policy effectiveness. As your organization prepares to upgrade to PAN-OS 12.2 or later, you can migrate to the full Advanced IP Defense profile-based implementation for enhanced capabilities including direct-to-IP detection and granular attribute-based controls.
