>
    Strata Copilot
    Create an Advanced IP Defense Profile
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced IP Defense
    3. Create an Advanced IP Defense Profile
    Download PDF
    Advanced IP Defense

    Create an Advanced IP Defense Profile

    Table of Contents

    Create an Advanced IP Defense Profile

    Configure Advanced IP Defense to enforce real-time IP address inspection and block threats that bypass traditional DNS and URL-based controls.
    Where Can I Use This?What Do I Need?
    • PAN-OS 12.2 and later
    • Strata Cloud Manager
    • PAN-OS 11.1.x and later (EDL-based)
    • Advanced IP Defense license
    • Admin access to firewall or Strata Cloud Manager
    • Network connectivity to Advanced IP Defense cloud service
    Advanced IP Defense is a cloud-delivered security service that provides real-time, context-aware IP address inspection and enforcement. It closes a critical security gap by protecting against threats that bypass traditional DNS and URL-based controls by operating directly at the IP layer.
    The service addresses two major attack vectors. Outbound threats occur when malware establishes direct-to-IP connections to exfiltrate data or maintain Command & Control (C2) communications, bypassing DNS and URL inspection controls. Inbound threats involve attackers using large-scale automation, proxies, and anonymizers to perform scanning, reconnaissance, and exploitation of network resources.
    Advanced IP Defense leverages dynamic, real-time IP attributes to enable granular, context-aware security policies. By correlating traffic with DNS resolution data, the service detects "direct-to-IP" connections (connections without prior DNS resolution) and applies Zero-Trust IP policies to block suspicious activity while allowing legitimate business traffic.
    For PAN-OS 12.2 and later or Strata Cloud Manager, you configure Advanced IP Defense through a zone-based Advanced IP Defense profile that allows you to define security policies based on IP attributes and direct-to-IP detection. The firewall maintains a local cache of IP attributes and DNS resolution history to minimize cloud lookups and reduce latency. When a cache miss occurs, the firewall allows the initial session to pass (fail-open) and asynchronously queries the Advanced IP Defense cloud service for IP attributes and direct-to-IP detection results. Once the cloud verdict is returned and the local cache is populated, the policy is strictly enforced on all subsequent sessions matching that IP. If the Advanced IP Defense cloud service becomes unreachable, the firewall reverts to fail-open to prevent network outages.
    For customers on PAN-OS 11.1.x and later, Advanced IP Defense intelligence is also available through predefined External Dynamic Lists (EDLs) delivered via the AV content package. These lists contain curated subsets of high-risk malicious IPs identified by the cloud security engines. The system automatically selects the appropriate EDL size (Standard or Full tier) based on your hardware platform's capacity at install time. You can reference these EDLs in your existing security rules to block traffic based on malicious IP addresses. On PAN-OS 12.2 and later, you can use both the EDLs and the full profile-based controls; the profile-based approach is recommended for granular attribute-level matching, direct-to-IP detection, real-time cloud lookups, and enhanced logging.
    The configuration process is iterative and ongoing. After creating your initial profile, you refine policy rules based on traffic patterns and security requirements, adjust exceptions and allowlists as your network evolves, and edit connectivity settings to maintain reliable communication with the Advanced IP Defense cloud service.

    Create an Advanced IP Defense Profile (Strata Cloud Manager)

    Configure Advanced IP Defense in Strata Cloud Manager to enable real-time IP address inspection and enforcement for Prisma Access.
    Advanced IP Defense in Strata Cloud Manager provides cloud-based IP address inspection and enforcement for Prisma Access deployments. This enables you to protect remote users and cloud-connected resources against IP-based threats using dynamic IP attributes and direct-to-IP detection.
    1. Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
    2. Verify that you have an active Advanced IP Defense license.
      Select ConfigurationNGFW and Prisma AccessOverview and check the license usage terms link in the License panel. Verify that the Advanced IP Defense license is active.
    3. Create or update an Advanced IP Defense profile.
      Select ConfigurationSecurity ServicesAdvanced IP Defense and click Add to create a new profile or select an existing profile to edit.
      Enter a name and description for the profile.
      Each profile contains:
      • Match rules—One or more rules that specify an IP attribute category, an optional tag filter, and a logical operator.
      • IP match field—Specifies whether the profile evaluates the source IP or destination IP of each session. This setting applies to all rules in the profile.
      • Action—Each rule specifies an action: alert (log and allow), block (log and drop), or deny (drop without logging).
      • Log severity—Configurable per rule to control how the match appears in your threat logs.
      • Cache-miss behavior—On a cache miss, the firewall allows the initial session to pass (fail-open) and asynchronously queries the Advanced IP Defense cloud service for a verdict. Once the cloud responds, the local cache is populated and the policy is enforced on all subsequent sessions matching that IP. If you configure the profile for strict enforcement, the firewall drops traffic on cache miss only while the Advanced IP Defense cloud service is reachable; if the service becomes unreachable, the firewall reverts to fail-open to prevent a network outage.
      A default profile ships with the content update package and contains match rules for all available IP attribute categories with the action set to alert. This gives you immediate visibility into IP-based threats without blocking traffic. You can clone the default profile to create custom profiles tailored to your security requirements.
    4. Configure policy rules within the Advanced IP Defense profile.
      Click Add Rule to create rules that match traffic based on IP attributes or direct-to-IP detection. For each rule, specify:
      • IP Match Field—Select whether the rule evaluates the source IP or destination IP of each session. Use source IP to detect inbound threats from known malicious infrastructure. Use destination IP to detect outbound connections to C2 servers, anonymizers, or compromised hosts.
      • Match criteria—Select one or more IP attribute categories (such as Malware & C2, Anonymizers & Proxies, or Direct-to-IP) or individual tags within a category. Use logical operators (AND, OR, NOT) to build compound match conditions.
      • Action—Set to Alert (log and allow), Block (log and drop), or Deny (drop without logging). Start with Alert during initial deployment to evaluate detection accuracy before enabling Block.
      • Log severity—Set the severity level (Critical, High, Medium, Low, or Informational) to control how the match appears in your threat logs and SIEM. Higher severity levels can trigger automated responses through log forwarding profiles.
      When you build match rules, the following constraints apply:
      • You can match by an entire category or by individual tags within a category, but not both in the same rule.
      • The Direct to IP (No-DNS) category has no individual tags. When you select it, the rule evaluates whether the connection occurred without a preceding DNS resolution.
      • The Netblock Owner category supports tag-based matching only. You must specify individual tags (such as AWS Cloud, GCP Cloud, or CDN) rather than matching the entire category.
      • A NOT operation accepts only one item (one category or one tag).
      • You can combine two categories or tags using AND or OR operators to build compound match criteria.
      Rules are evaluated in order from top to bottom. The first matching rule determines the action. Position your most specific, highest-severity rules at the top of the list. See Security Policy for more information about rule ordering and evaluation logic.
    5. Configure exceptions and allowlists.
      Click the Exceptions tab to define entries that bypass specific Advanced IP Defense checks. Exceptions prevent false positives for known-good traffic without disabling protection for other connections.
      • External Dynamic List (EDL)—Reference an IP-based EDL to allowlist known-good IP addresses from Advanced IP Defense evaluation. Use this for dynamic infrastructure where IP addresses change frequently (such as your own cloud services or CDN providers). The EDL updates automatically without requiring a commit. See External Dynamic Lists for EDL configuration details.
      • No-DNS Bypass—Specify IP addresses, ports, or IP-port combinations for protocols that legitimately use direct-to-IP connections (such as BGP, SIP, or STUN). These entries skip the No-DNS (direct-to-IP) check while still allowing other IP attribute checks to proceed.
      Exceptions are evaluated before policy rules. If a connection matches an exception, the corresponding check is skipped for that connection.
    6. Click OK to save the Advanced IP Defense profile.
      The profile is now created and ready to be attached to security zones or Prisma Access gateways.
    7. Attach the Advanced IP Defense profile to security zones or gateways.
      Select ConfigurationNetworkZones and select the zone where you want to enforce Advanced IP Defense policies. Attach the Advanced IP Defense profile you created.
      You can attach the same profile to multiple zones or create different profiles for different zones based on your security requirements. For example, apply a strict blocking profile to your internet-facing untrust zone and an alert-only profile to internal zones during the initial deployment period.
      For Prisma Access deployments, you can also assign the profile at the gateway level to enforce Advanced IP Defense across all traffic traversing the gateway.
      See Configure a Zone for more information about zone configuration and profile assignment.
    8. Commit your changes.
      Click Commit to apply the Advanced IP Defense configuration.
    9. Monitor Advanced IP Defense activity.
      Select Incidents and AlertsLog Viewer to view logs for traffic that matched Advanced IP Defense rules. You can filter logs by IP attributes, direct-to-IP detection, or specific rules to track blocked threats and validate policy effectiveness.
    After enabling Advanced IP Defense, monitor the logs regularly to track blocked threats and validate policy effectiveness. You can create additional profiles for different security zones or refine your existing rules based on traffic patterns and security requirements.

    PAN-OS & Panorama

    Enable Advanced IP Defense on PAN-OS 12.2 and later or on PAN-OS 11.1.x and later using predefined EDLs.

    Create an Advanced IP Defense Profile (PAN-OS 12.2 and Later)

    Configure Advanced IP Defense on your firewall to enable real-time IP address inspection and enforcement based on IP attributes and direct-to-IP detection.
    Advanced IP Defense provides real-time IP address inspection and enforcement to protect against threats that bypass traditional DNS and URL-based controls. By enabling Advanced IP Defense, you can enforce policies based on over 40 dynamic IP attributes and detect direct-to-IP connections that indicate potential malware or data exfiltration attempts.
    1. Log in to the
    2. Verify that you have an active Advanced IP Defense license.
      Select DeviceLicenses and verify that the Advanced IP Defense license is available and has not expired.
    3. Create or update an Advanced IP Defense profile.
      Select ObjectsSecurity ProfilesAdvanced IP Defense and click Add to create a new profile or select an existing profile to edit.
      Enter a name and description for the profile. You can also select a default profile to use as a template.
      Each profile contains:
      • Match rules—One or more rules that specify an IP attribute category, an optional tag filter, and a logical operator.
      • IP match field—Specifies whether the profile evaluates the source IP or destination IP of each session. This setting applies to all rules in the profile.
      • Action—Each rule specifies an action: alert (log and allow), block (log and drop), or deny (drop without logging).
      • Log severity—Configurable per rule to control how the match appears in your threat logs.
      • Cache-miss behavior—On a cache miss, the firewall allows the initial session to pass (fail-open) and asynchronously queries the Advanced IP Defense cloud service for a verdict. Once the cloud responds, the local cache is populated and the policy is enforced on all subsequent sessions matching that IP. If you configure the profile for strict enforcement, the firewall drops traffic on cache miss only while the Advanced IP Defense cloud service is reachable; if the service becomes unreachable, the firewall reverts to fail-open to prevent a network outage.
      A default profile ships with the content update package and contains match rules for all available IP attribute categories with the action set to alert. This gives you immediate visibility into IP-based threats without blocking traffic. You can clone the default profile to create custom profiles tailored to your security requirements.
    4. Configure policy rules within the Advanced IP Defense profile.
      Click Add Rule to create rules that match traffic based on IP attributes or direct-to-IP detection. For each rule, specify:
      • IP Match Field—Select whether the rule evaluates the source IP or destination IP of each session. Use source IP to detect inbound threats from known malicious infrastructure. Use destination IP to detect outbound connections to C2 servers, anonymizers, or compromised hosts.
      • Match criteria—Select one or more IP attribute categories (such as Malware & C2, Anonymizers & Proxies, or Direct-to-IP) or individual tags within a category. Use logical operators (AND, OR, NOT) to build compound match conditions.
      • Action—Set to Alert (log and allow), Block (log and drop), or Deny (drop without logging). Start with Alert during initial deployment to evaluate detection accuracy before enabling Block.
      • Log severity—Set the severity level (Critical, High, Medium, Low, or Informational) to control how the match appears in your threat logs and SIEM. Higher severity levels can trigger automated responses through log forwarding profiles.
      When you build match rules, the following constraints apply:
      • You can match by an entire category or by individual tags within a category, but not both in the same rule.
      • The Direct to IP (No-DNS) category has no individual tags. When you select it, the rule evaluates whether the connection occurred without a preceding DNS resolution.
      • The Netblock Owner category supports tag-based matching only. You must specify individual tags (such as AWS Cloud, GCP Cloud, or CDN) rather than matching the entire category.
      • A NOT operation accepts only one item (one category or one tag).
      • You can combine two categories or tags using AND or OR operators to build compound match criteria.
      Rules are evaluated in order from top to bottom. The first matching rule determines the action. Position your most specific, highest-severity rules at the top of the list. See Security Policy for more information about rule ordering and evaluation logic.
    5. Configure exceptions and allowlists.
      Click the Exceptions tab to define entries that bypass specific Advanced IP Defense checks. Exceptions prevent false positives for known-good traffic without disabling protection for other connections.
      • External Dynamic List (EDL)—Reference an IP-based EDL to allowlist known-good IP addresses from Advanced IP Defense evaluation. Use this for dynamic infrastructure where IP addresses change frequently (such as your own cloud services or CDN providers). The EDL updates automatically without requiring a commit. See External Dynamic Lists for EDL configuration details.
      • No-DNS Bypass—Specify IP addresses, ports, or IP-port combinations for protocols that legitimately use direct-to-IP connections (such as BGP, SIP, or STUN). These entries skip the No-DNS (direct-to-IP) check while still allowing other IP attribute checks to proceed.
      Exceptions are evaluated before policy rules. If a connection matches an exception, the corresponding check is skipped for that connection.
    6. Click OK to save the Advanced IP Defense profile.
      The profile is now created and ready to be attached to security zones.
    7. Attach the Advanced IP Defense profile to security zones.
      Select NetworkZones and select the zone where you want to enforce Advanced IP Defense policies. In the zone configuration, select the Advanced IP Defense profile you created.
      You can attach the same profile to multiple zones or create different profiles for different zones based on your security requirements. For example, apply a strict blocking profile to your internet-facing untrust zone and an alert-only profile to internal zones during the initial deployment period.
      See Configure a Zone for more information about zone configuration and profile assignment.
    8. Commit your changes.
      Click Commit to apply the Advanced IP Defense configuration to your firewall.
    9. Monitor Advanced IP Defense activity.
      Select MonitorLogsThreat to view logs for traffic that matched Advanced IP Defense rules. You can filter logs by IP attributes, direct-to-IP detection, or specific rules to track blocked threats and validate policy effectiveness.
    After enabling Advanced IP Defense, you can create additional profiles for different security zones or refine your existing rules based on traffic patterns and security requirements. Monitor the logs regularly to ensure your policies are effective and adjust rules as needed.

    Create an Advanced IP Defense Profile (PAN-OS 11.1.x and Later)

    Configure Advanced IP Defense on PAN-OS 11.1.x and later using predefined External Dynamic Lists (EDLs) to block malicious IP addresses.
    For PAN-OS 11.1.x and later, Advanced IP Defense is available through predefined External Dynamic Lists (EDLs) that are automatically delivered via content updates. These EDLs contain curated, priority-ranked lists of malicious IP addresses identified by the Advanced IP Defense cloud service, allowing you to block threats using your existing security policy rules. On PAN-OS 12.2 and later, you can also use the full Advanced IP Defense profile-based architecture for granular attribute-level matching and direct-to-IP detection.
    The Advanced IP Defense EDLs are delivered in the antivirus content package and installed automatically when you update dynamic content. The system performs Top-K trimming at install time based on your hardware platform's EDL capacity, so the same content package works across all supported devices. Each list is ranked by priority in descending order (first entry = highest priority).
    1. Log in to the
    2. Verify that you have an active Advanced IP Defense license.
      Select DeviceLicenses and verify that the Advanced IP Defense license is available and has not expired.
    3. Update to the latest content package.
      Select DeviceDynamic Updates and check for the latest antivirus content release. The Advanced IP Defense EDLs are delivered through this package. See Keep Your Firewall Content Current for scheduling automatic content updates.
    4. Verify that the Advanced IP Defense EDLs are available.
      Select ObjectsExternal Dynamic Lists and look for the predefined Advanced IP Defense EDLs. The following EDLs are delivered through the content package:
      EDL NameDescriptionStandard TierFull Tier
      Adv. IP Defense: C2 infrastructureIPs hosting C2 services or bound to C2 domains. Covers active command-and-control server infrastructure.5,0005,000
      Adv. IP Defense: Hardcoded in malwareIPs hardcoded in malware samples or appearing in exploitation payload shellcode.1,0001,000
      Adv. IP Defense: VPNIPs owned by commercial VPN service providers.5,00010,000
      Adv. IP Defense: ProxiesIPs hosting proxy services such as HTTP, SOCKS, OpenVPN, and V2Ray.2,00060,000
      Adv. IP Defense: Scanner and brute-forceIPs conducting scanning or brute-force activities.1,00020,000
      Adv. IP Defense: Exposed vulnerable servicesIPs hosting publicly reachable services vulnerable to known CVEs or exploits.2,0004,000
      The AV content package delivers the same set of EDL files to all platforms. At install time, the system automatically trims each list to the appropriate size based on your hardware platform's capacity. You do not need to select a tier manually. Standard tier platforms (such as PA-3200, PA-3400, PA-3500, and PA-5500 series) receive a condensed record set, while Full tier platforms (such as PA-1400, PA-5200, PA-5400, PA-7500 series, VM-Series, and Prisma Access) receive the complete record set.
      An IP address appears in only one EDL even if it has multiple attributes. When an IP qualifies for multiple lists, it is placed in the highest-severity list based on the following priority (highest to lowest): C2 infrastructure, Hardcoded in malware, VPN, Proxies, Scanner and brute-force, Exposed vulnerable services.
    5. Create security policy rules that reference the Advanced IP Defense EDLs.
      Select PoliciesSecurity and create a new security policy rule for each Advanced IP Defense EDL you want to enforce. See Create a Security Policy Rule for detailed instructions on configuring security policy rules.
      For each rule:
      • In the Source or Destination tab, click Add and select the Advanced IP Defense EDL. Use the Source Address field to match inbound traffic from malicious IPs, or the Destination Address field to match outbound traffic to malicious IPs.
      • In the Actions tab, set the action to Deny (block and drop) or Allow with logging enabled (alert-only mode for initial monitoring).
      • In the Actions tab, enable Log at Session End and attach a log forwarding profile to forward matches to your SIEM or Strata Logging Service.
      Position the Advanced IP Defense EDL rules before your general allow rules in the policy rulebase to ensure they are evaluated first. See Security Policy for more information about rule ordering and evaluation.
    6. Commit your changes.
      Click Commit to apply the security policy rules to your firewall.
    7. Monitor EDL-based threat activity.
      Select MonitorLogsTraffic to view logs for traffic that matched the Advanced IP Defense EDL rules. Filter by the rule name or use the destination/source EDL columns to identify which EDL triggered the match.
    The Advanced IP Defense EDLs are updated with each content package release. Schedule automatic content updates to ensure your EDLs reflect the latest threat intelligence. On PAN-OS 12.2 and later, you can also enable the full Advanced IP Defense profile-based architecture for granular attribute-level matching, direct-to-IP detection, and real-time cloud lookups. The predefined EDLs remain available alongside profile-based controls.
    When you upgrade from an earlier PAN-OS release to 12.2 or later, your existing Advanced IP Defense predefined EDLs and the security policy rules that reference them remain intact. You do not need to reconfigure EDL-based policies after the upgrade. You can continue using the EDLs for IP-based blocking while you evaluate and deploy the full profile-based controls.

    © 2026 Palo Alto Networks, Inc. All rights reserved.