>
    Strata Copilot
    PAN-OS & Panorama
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced IP Defense
    3. Enable Advanced IP Defense
    4. PAN-OS & Panorama
    Download PDF
    Advanced IP Defense

    PAN-OS & Panorama

    Table of Contents

    PAN-OS & Panorama

    Enable Advanced IP Defense on PAN-OS 12.2 and later or on PAN-OS 12.1.x and 11.2.x using predefined EDLs.

    Enable Advanced IP Defense (PAN-OS 12.2 and Later)

    Configure Advanced IP Defense on your firewall to enable real-time IP address inspection and enforcement based on IP attributes and direct-to-IP detection.
    Where Can I Use This?What Do I Need?
    • PAN-OS 12.2 and later
    • Panorama
    • Advanced IP Defense license
    • Network connectivity to Advanced IP Defense cloud service
    • Admin access to firewall or Panorama
    Advanced IP Defense provides real-time IP address inspection and enforcement to protect against threats that bypass traditional DNS and URL-based controls. By enabling Advanced IP Defense, you can enforce policies based on over 40 dynamic IP attributes and detect direct-to-IP connections that indicate potential malware or data exfiltration attempts.
    1. Log in to your firewall or Panorama.
      Use your admin credentials to access the web interface.
    2. Verify that you have an active Advanced IP Defense license.
      Select DeviceLicenses and verify that the Advanced IP Defense license is available and has not expired.
    3. Create or update an Advanced IP Defense profile.
      Select ObjectsSecurity ProfilesAdvanced IP Defense and click Add to create a new profile or select an existing profile to edit.
      Enter a name and description for the profile. You can also select a default profile to use as a template.
    4. Configure policy rules within the Advanced IP Defense profile.
      Click Add Rule to create rules that match traffic based on IP attributes or direct-to-IP detection. For each rule, specify:
      • IP Match Field (source IP or destination IP)
      • Match criteria (IP attributes, categories, or NO_DNS for direct-to-IP detection)
      • Action (Allow, Alert, or Block)
      • Log severity level
      You can combine multiple criteria using AND, OR, or NOT operators to create complex rules.
    5. Configure exceptions and allowlists.
      Click the Exceptions tab to configure exceptions for known benign traffic. You can add:
      • IP-based exceptions
      • Port-based exceptions
      • IP-port pair exceptions
      • EDL-based exceptions
      Exceptions allow you to bypass Advanced IP Defense checks for specific traffic patterns.
    6. Click OK to save the Advanced IP Defense profile.
      The profile is now created and ready to be attached to security zones.
    7. Attach the Advanced IP Defense profile to security zones.
      Select NetworkZones and select the zone where you want to enforce Advanced IP Defense policies. In the zone configuration, attach the Advanced IP Defense profile you created.
    8. Commit your changes.
      Click Commit to apply the Advanced IP Defense configuration to your firewall.
    9. Monitor Advanced IP Defense activity.
      Select MonitorLogsThreat to view logs for traffic that matched Advanced IP Defense rules. You can filter logs by IP attributes, direct-to-IP detection, or specific rules to track blocked threats and validate policy effectiveness.
    After enabling Advanced IP Defense, you can create additional profiles for different security zones or refine your existing rules based on traffic patterns and security requirements. Monitor the logs regularly to ensure your policies are effective and adjust rules as needed.

    Enable Advanced IP Defense (PAN-OS 12.1.x and 11.2.x)

    Configure Advanced IP Defense on PAN-OS 12.1.x and 11.2.x using predefined External Dynamic Lists (EDLs) to block malicious IP addresses.
    Where Can I Use This?What Do I Need?
    • PAN-OS 12.1.x
    • PAN-OS 11.2.x
    • Panorama
    • Advanced IP Defense license
    • Latest content package installed
    • Admin access to firewall or Panorama
    For PAN-OS 12.1.x and 11.2.x, Advanced IP Defense is available through predefined External Dynamic Lists (EDLs) that are automatically delivered via content updates. These EDLs contain a curated subset of high-risk malicious IP addresses identified by the Advanced IP Defense cloud service, allowing you to block threats without requiring the latest AIPD security profiles.
    1. Log in to your firewall or Panorama.
      Use your admin credentials to access the web interface.
    2. Verify that you have an active Advanced IP Defense license.
      Select DeviceLicenses and verify that the Advanced IP Defense license is available and has not expired.
    3. Update to the latest content package.
      Select DeviceDynamic Updates and check for the latest content release. The Advanced IP Defense EDLs are delivered through the content package.
    4. Verify that the Advanced IP Defense EDLs are available.
      Select ObjectsExternal Dynamic Lists and look for predefined EDLs with names containing "Advanced IP Defense" or "AIPD". These EDLs are available in two sizes (16K and 100K) to accommodate different hardware platform capacity limits.
    5. Create security policy rules that reference the Advanced IP Defense EDLs.
      Select PoliciesSecurity and create or edit a security policy rule. In the rule configuration:
      • Set the source and destination addresses as needed
      • In the destination address field, add the Advanced IP Defense EDL you want to use
      • Specify the action (Allow, Deny, or Alert)
      • Configure logging to track EDL hits
    6. Configure the rule action.
      For inbound traffic, you can block traffic from anonymizers and proxies. For outbound traffic, you can block traffic to malware C2 servers and vulnerable services. Choose the appropriate action based on your security requirements.
    7. Enable logging for the rule.
      In the rule configuration, enable logging so that you can track when traffic matches the Advanced IP Defense EDL. This provides visibility into blocked threats.
    8. Commit your changes.
      Click Commit to apply the security policy rules to your firewall.
    9. Monitor EDL hits and traffic logs.
      Select MonitorLogsTraffic to view logs for traffic that matched the Advanced IP Defense EDL rules. The EDL name will be displayed in the source EDL or destination EDL columns of the logs.
    After enabling Advanced IP Defense EDLs, monitor the logs regularly to track blocked threats and validate policy effectiveness. As your organization prepares to upgrade to PAN-OS 12.2 or later, you can migrate to the full Advanced IP Defense profile-based implementation for enhanced capabilities including direct-to-IP detection and granular attribute-based controls.

    © 2026 Palo Alto Networks, Inc. All rights reserved.