Create Advanced IP Defense Policy Rules in PAN-OS and Panorama

1. Log in to the
2. Access the Advanced IP Defense profile in PAN-OS or Panorama.

   Select ObjectsSecurity ServicesAdvanced IP Defense to access the Advanced IP Defense profiles.
3. Select the Advanced IP Defense profile where you want to create the policy rule.

   Click on the profile name to open the profile configuration.
4. Navigate to the policy rules section.

   Select Policy Rules to view existing policy rules and create new ones.
5. Click Add to create a new policy rule.

   A new policy rule entry is created with default settings.
6. Configure the match criteria for the policy rule.

   Specify the IP attributes that the rule should match. You can select from over 40 real-time IP attributes such as:

   • Anonymizer
   • Botnet
   • High-Risk
   • Malware C2
   • Cloud Provider
   • Direct-to-IP Detection

   Use logical operators (AND, OR) to combine multiple match criteria. For example, you can create a rule that matches traffic from IPs classified as both "Malware C2" AND "Direct-to-IP Detection".
7. Define the action for the policy rule.

   Choose the action to take when traffic matches the rule:

   • Block—Deny the traffic
   • Allow—Permit the traffic
   • Alert—Log the traffic without blocking
8. Configure log severity for the policy rule.

   Select the log severity level to control how the rule match appears in your threat logs and SIEM:

   • Critical—Highest-confidence, most dangerous threat indicators where immediate action is required. Use for confirmed active command-and-control infrastructure, known botnet controllers, or IP addresses associated with ongoing targeted attacks.
   • High—High-confidence threat categories with a strong likelihood of malicious intent. Use for Malware C2 infrastructure, known exploit servers, and IPs associated with active data exfiltration.
   • Medium—Moderate confidence indicators that may include both malicious and legitimate traffic. Use for anonymizer and proxy services, high-risk IP ranges, or direct-to-IP connections that could indicate evasion techniques.
   • Low—Situational awareness without a confirmed threat. Use for broad netblock owner monitoring, traffic to hosting providers, or connections to IP ranges associated with vulnerable services.
   • Informational—Visibility-only rules where the match criteria is unlikely to represent a threat but the traffic pattern is worth recording. Use for monitoring baseline traffic to cloud infrastructure, CDN providers, or residential ISP ranges.
9. Save the policy rule.

   Click Save to save the policy rule configuration.
10. Commit your changes.

    Click Commit to apply the policy rule to your firewall.