>
    Strata Copilot
    Create Advanced IP Defense Exceptions and Allowlists
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced IP Defense
    3. Create Advanced IP Defense Exceptions and Allowlists
    Download PDF
    Advanced IP Defense

    Create Advanced IP Defense Exceptions and Allowlists

    Table of Contents

    Create Advanced IP Defense Exceptions and Allowlists

    Create exceptions and allowlists to exclude legitimate traffic from Advanced IP Defense policy enforcement and reduce false positives.
    Where Can I Use This?What Do I Need?
    • PAN-OS 12.2 and later
    • Strata Cloud Manager
    • Advanced IP Defense license
    • Admin access to firewall or Strata Cloud Manager
    • Advanced IP Defense profile created
    Because blocking IP addresses carries a higher risk and more severe impact from false positives than other security controls, Advanced IP Defense provides exceptions and allowlists to ensure that legitimate traffic is not disrupted. Exceptions exclude specific traffic from Advanced IP Defense policy enforcement, while allowlists pre-populate known-safe entries on the firewall and in the Advanced IP Defense cloud service. Together, these mechanisms reduce false positives and lower the volume of cloud lookups, improving both accuracy and performance.
    Advanced IP Defense uses two types of allowlists that serve distinct purposes. The Advanced IP Defense allowlist causes the firewall to skip attribute lookups to the Advanced IP Defense cloud service entirely, letting traffic pass through without enforcement. The direct-to-IP allowlist skips only the direct-to-IP detection check, treating the traffic as if a prior DNS resolution occurred. Many protocols such as BitTorrent, BGP, SIP, STUN, RTSP, CoAP, and MQTT legitimately connect directly to IP addresses by design, and the direct-to-IP allowlist prevents these from triggering false positives. Protocols that operate strictly within internal networks, such as DHCP, mDNS, and NetBIOS, don't require allowlisting because Advanced IP Defense only evaluates publicly routable IP addresses.
    You can create exception entries using three formats: IP addresses or subnets, ports (with transport protocol), and IP-port pairs. For IP and subnet entries, the allowlist also includes the associated IP attributes (such as netblock owner classifications) so that the firewall can still take attribute-based action on allowed IPs when needed. Each entry has a priority value that determines which entries the firewall retains when memory capacity is limited. The priority order from highest to lowest is: direct-to-IP ports, direct-to-IP IPs, direct-to-IP IP-port pairs, generic IP subnets, and generic individual IPs.
    The firewall periodically pulls updated per-tenant allowlist files from the cloud, refreshing its local cache at regular intervals. The firewall stores a prioritized subset of the allowlist tailored to its tenant.

    Create Advanced IP Defense Exceptions and Allowlists in Strata Cloud Manager

    Create exceptions and allowlists within an Advanced IP Defense profile in Strata Cloud Manager to exclude legitimate traffic from Advanced IP Defense policy rules.
    Exceptions and allowlists in an Advanced IP Defense profile enable you to exclude specific traffic from Advanced IP Defense policy rules. You can create exceptions based on IP addresses, ports, IP-port pairs, or External Dynamic Lists (EDLs) to provide granular control over which traffic is exempted from Advanced IP Defense enforcement.
    1. Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
    2. Access the Advanced IP Defense profile in Strata Cloud Manager.
      Select ConfigurationSecurity ServicesAdvanced IP Defense to access the Advanced IP Defense profiles.
    3. Select the Advanced IP Defense profile where you want to create exceptions.
      Click on the profile name to open the profile configuration.
    4. Navigate to the exceptions section.
      Select Exceptions to view existing exceptions and create new ones.
    5. Click Add to create a new exception.
      A new exception entry is created with default settings.
    6. Configure IP-based exceptions.
      Enter the IP address or IP address range that you want to exclude from Advanced IP Defense policy rules. You can specify:
      • Single IP address (for example, 192.0.2.1)
      • IP address range (for example, 192.0.2.0/24)
      • Multiple IP addresses separated by commas
    7. (Optional) Configure port-based exceptions.
      Enter the port number or port range that you want to exclude from Advanced IP Defense policy rules. You can specify:
      • Single port (for example, 443)
      • Port range (for example, 8000-8100)
      • Multiple ports separated by commas
    8. (Optional) Configure IP-port pair exceptions.
      Combine IP addresses and ports to create more granular exceptions. For example, you can exclude traffic to a specific IP address on a specific port (for example, 192.0.2.1:443).
    9. (Optional) Configure EDL-based exceptions.
      Select an External Dynamic List (EDL) to use as an exception. This allows you to exclude traffic to IPs contained in the EDL from Advanced IP Defense policy rules. EDL-based exceptions are useful for maintaining dynamic allowlists that are updated automatically.
    10. Set the exception priority.
      If you have multiple exceptions, set the priority order to determine which exception is evaluated first. Higher priority exceptions are evaluated before lower priority exceptions.
    11. Test the exception configuration.
      Verify that the exception is working correctly by testing traffic that should be excluded. Monitor the Advanced IP Defense logs to confirm that traffic matching the exception is not being blocked by policy rules.
    12. Save the exception.
      Click Save to save the exception configuration.
    13. Commit your changes.
      Click Commit to apply the exception to your Strata Cloud Manager configuration.

    Create Advanced IP Defense Exceptions and Allowlists in PAN-OS and Panorama

    Create exceptions and allowlists within an Advanced IP Defense profile in PAN-OS and Panorama to exclude legitimate traffic from Advanced IP Defense policy rules.
    Exceptions and allowlists in an Advanced IP Defense profile enable you to exclude specific traffic from Advanced IP Defense policy rules. You can create exceptions based on IP addresses, ports, IP-port pairs, or External Dynamic Lists (EDLs) to provide granular control over which traffic is exempted from Advanced IP Defense enforcement.
    1. Log in to the PAN-OS web interface.
    2. Access the Advanced IP Defense profile in PAN-OS or Panorama.
      Select ObjectsSecurity ServicesAdvanced IP Defense to access the Advanced IP Defense profiles.
    3. Select the Advanced IP Defense profile where you want to create exceptions.
      Click on the profile name to open the profile configuration.
    4. Navigate to the exceptions section.
      Select Exceptions to view existing exceptions and create new ones.
    5. Click Add to create a new exception.
      A new exception entry is created with default settings.
    6. Configure IP-based exceptions.
      Enter the IP address or IP address range that you want to exclude from Advanced IP Defense policy rules. You can specify:
      • Single IP address (for example, 192.0.2.1)
      • IP address range (for example, 192.0.2.0/24)
      • Multiple IP addresses separated by commas
    7. (Optional) Configure port-based exceptions.
      Enter the port number or port range that you want to exclude from Advanced IP Defense policy rules. You can specify:
      • Single port (for example, 443)
      • Port range (for example, 8000-8100)
      • Multiple ports separated by commas
    8. (Optional) Configure IP-port pair exceptions.
      Combine IP addresses and ports to create more granular exceptions. For example, you can exclude traffic to a specific IP address on a specific port (for example, 192.0.2.1:443).
    9. (Optional) Configure EDL-based exceptions.
      Select an External Dynamic List (EDL) to use as an exception. This allows you to exclude traffic to IPs contained in the EDL from Advanced IP Defense policy rules. EDL-based exceptions are useful for maintaining dynamic allowlists that are updated automatically.
    10. Set the exception priority.
      If you have multiple exceptions, set the priority order to determine which exception is evaluated first. Higher priority exceptions are evaluated before lower priority exceptions.
    11. Test the exception configuration.
      Verify that the exception is working correctly by testing traffic that should be excluded. Monitor the Advanced IP Defense logs to confirm that traffic matching the exception is not being blocked by policy rules.
    12. Save the exception.
      Click Save to save the exception configuration.
    13. Commit your changes.
      Click Commit to apply the exception to your firewall.

    © 2026 Palo Alto Networks, Inc. All rights reserved.