>
    Strata Copilot
    Enable Advanced IP Defense (Cloud Management)
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced IP Defense
    3. Enable Advanced IP Defense
    4. Enable Advanced IP Defense (Cloud Management)
    Download PDF
    Advanced IP Defense

    Enable Advanced IP Defense (Cloud Management)

    Table of Contents

    Enable Advanced IP Defense (Cloud Management)

    Configure Advanced IP Defense in Strata Cloud Manager to enable real-time IP address inspection and enforcement for Prisma Access.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Prisma Access
    • Advanced IP Defense license
    • Prisma Access subscription
    • Admin access to Strata Cloud Manager
    Advanced IP Defense in Strata Cloud Manager provides cloud-based IP address inspection and enforcement for Prisma Access deployments. This enables you to protect remote users and cloud-connected resources against IP-based threats using dynamic IP attributes and direct-to-IP detection.
    1. Log in to Strata Cloud Manager.
      Use your Palo Alto Networks support account credentials to access the Strata Cloud Manager at https://apps.paloaltonetworks.com/.
    2. Verify that you have an active Advanced IP Defense license.
      Select ConfigurationNGFW and Prisma AccessOverview and check the license usage terms link in the License panel. Verify that the Advanced IP Defense license is active.
    3. Create or update an Advanced IP Defense profile.
      Select ConfigurationSecurity ServicesAdvanced IP Defense and click Add to create a new profile or select an existing profile to edit.
      Enter a name and description for the profile.
    4. Configure policy rules within the Advanced IP Defense profile.
      Click Add Rule to create rules that match traffic based on IP attributes or direct-to-IP detection. For each rule, specify:
      • IP Match Field (source IP or destination IP)
      • Match criteria (IP attributes, categories, or NO_DNS for direct-to-IP detection)
      • Action (Allow, Alert, or Block)
      • Log severity level
      You can combine multiple criteria using AND, OR, or NOT operators to create complex rules.
    5. Configure exceptions and allowlists.
      Click the Exceptions tab to configure exceptions for known benign traffic. You can add:
      • IP-based exceptions
      • Port-based exceptions
      • IP-port pair exceptions
      • EDL-based exceptions
      Exceptions allow you to bypass Advanced IP Defense checks for specific traffic patterns.
    6. Click OK to save the Advanced IP Defense profile.
      The profile is now created and ready to be attached to security zones or Prisma Access gateways.
    7. Attach the Advanced IP Defense profile to security zones or gateways.
      Select ConfigurationNetworkZones and select the zone where you want to enforce Advanced IP Defense policies. Attach the Advanced IP Defense profile you created.
    8. Commit your changes.
      Click Commit to apply the Advanced IP Defense configuration.
    9. Monitor Advanced IP Defense activity.
      Select Incidents and AlertsLog Viewer to view logs for traffic that matched Advanced IP Defense rules. You can filter logs by IP attributes, direct-to-IP detection, or specific rules to track blocked threats and validate policy effectiveness.
    After enabling Advanced IP Defense, monitor the logs regularly to track blocked threats and validate policy effectiveness. You can create additional profiles for different security zones or refine your existing rules based on traffic patterns and security requirements.

    © 2026 Palo Alto Networks, Inc. All rights reserved.