>
    Strata Copilot
    PAN-OS & Panorama
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced IP Defense
    3. Create an Advanced IP Defense Profile
    4. PAN-OS & Panorama
    Download PDF
    Advanced IP Defense

    PAN-OS & Panorama

    Table of Contents

    PAN-OS & Panorama

    Enable Advanced IP Defense on PAN-OS 12.2 and later or on PAN-OS 11.1.x and later using predefined EDLs.

    Create an Advanced IP Defense Profile (PAN-OS 12.2 and Later)

    Configure Advanced IP Defense on your firewall to enable real-time IP address inspection and enforcement based on IP attributes and direct-to-IP detection.
    Advanced IP Defense provides real-time IP address inspection and enforcement to protect against threats that bypass traditional DNS and URL-based controls. By enabling Advanced IP Defense, you can enforce policies based on over 40 dynamic IP attributes and detect direct-to-IP connections that indicate potential malware or data exfiltration attempts.
    1. Log in to the
    2. Verify that you have an active Advanced IP Defense license.
      Select DeviceLicenses and verify that the Advanced IP Defense license is available and has not expired.
    3. Create or update an Advanced IP Defense profile.
      Select ObjectsSecurity ProfilesAdvanced IP Defense and click Add to create a new profile or select an existing profile to edit.
      Enter a name and description for the profile. You can also select a default profile to use as a template.
      Each profile contains:
      • Match rules—One or more rules that specify an IP attribute category, an optional tag filter, and a logical operator.
      • IP match field—Specifies whether the profile evaluates the source IP or destination IP of each session. This setting applies to all rules in the profile.
      • Action—Each rule specifies an action: alert (log and allow), block (log and drop), or deny (drop without logging).
      • Log severity—Configurable per rule to control how the match appears in your threat logs.
      • Cache-miss behavior—On a cache miss, the firewall allows the initial session to pass (fail-open) and asynchronously queries the Advanced IP Defense cloud service for a verdict. Once the cloud responds, the local cache is populated and the policy is enforced on all subsequent sessions matching that IP. If you configure the profile for strict enforcement, the firewall drops traffic on cache miss only while the Advanced IP Defense cloud service is reachable; if the service becomes unreachable, the firewall reverts to fail-open to prevent a network outage.
      A default profile ships with the content update package and contains match rules for all available IP attribute categories with the action set to alert. This gives you immediate visibility into IP-based threats without blocking traffic. You can clone the default profile to create custom profiles tailored to your security requirements.
    4. Configure policy rules within the Advanced IP Defense profile.
      Click Add Rule to create rules that match traffic based on IP attributes or direct-to-IP detection. For each rule, specify:
      • IP Match Field—Select whether the rule evaluates the source IP or destination IP of each session. Use source IP to detect inbound threats from known malicious infrastructure. Use destination IP to detect outbound connections to C2 servers, anonymizers, or compromised hosts.
      • Match criteria—Select one or more IP attribute categories (such as Malware & C2, Anonymizers & Proxies, or Direct-to-IP) or individual tags within a category. Use logical operators (AND, OR, NOT) to build compound match conditions.
      • Action—Set to Alert (log and allow), Block (log and drop), or Deny (drop without logging). Start with Alert during initial deployment to evaluate detection accuracy before enabling Block.
      • Log severity—Set the severity level (Critical, High, Medium, Low, or Informational) to control how the match appears in your threat logs and SIEM. Higher severity levels can trigger automated responses through log forwarding profiles.
      When you build match rules, the following constraints apply:
      • You can match by an entire category or by individual tags within a category, but not both in the same rule.
      • The Direct to IP (No-DNS) category has no individual tags. When you select it, the rule evaluates whether the connection occurred without a preceding DNS resolution.
      • The Netblock Owner category supports tag-based matching only. You must specify individual tags (such as AWS Cloud, GCP Cloud, or CDN) rather than matching the entire category.
      • A NOT operation accepts only one item (one category or one tag).
      • You can combine two categories or tags using AND or OR operators to build compound match criteria.
      Rules are evaluated in order from top to bottom. The first matching rule determines the action. Position your most specific, highest-severity rules at the top of the list. See Security Policy for more information about rule ordering and evaluation logic.
    5. Configure exceptions and allowlists.
      Click the Exceptions tab to define entries that bypass specific Advanced IP Defense checks. Exceptions prevent false positives for known-good traffic without disabling protection for other connections.
      • External Dynamic List (EDL)—Reference an IP-based EDL to allowlist known-good IP addresses from Advanced IP Defense evaluation. Use this for dynamic infrastructure where IP addresses change frequently (such as your own cloud services or CDN providers). The EDL updates automatically without requiring a commit. See External Dynamic Lists for EDL configuration details.
      • No-DNS Bypass—Specify IP addresses, ports, or IP-port combinations for protocols that legitimately use direct-to-IP connections (such as BGP, SIP, or STUN). These entries skip the No-DNS (direct-to-IP) check while still allowing other IP attribute checks to proceed.
      Exceptions are evaluated before policy rules. If a connection matches an exception, the corresponding check is skipped for that connection.
    6. Click OK to save the Advanced IP Defense profile.
      The profile is now created and ready to be attached to security zones.
    7. Attach the Advanced IP Defense profile to security zones.
      Select NetworkZones and select the zone where you want to enforce Advanced IP Defense policies. In the zone configuration, select the Advanced IP Defense profile you created.
      You can attach the same profile to multiple zones or create different profiles for different zones based on your security requirements. For example, apply a strict blocking profile to your internet-facing untrust zone and an alert-only profile to internal zones during the initial deployment period.
      See Configure a Zone for more information about zone configuration and profile assignment.
    8. Commit your changes.
      Click Commit to apply the Advanced IP Defense configuration to your firewall.
    9. Monitor Advanced IP Defense activity.
      Select MonitorLogsThreat to view logs for traffic that matched Advanced IP Defense rules. You can filter logs by IP attributes, direct-to-IP detection, or specific rules to track blocked threats and validate policy effectiveness.
    After enabling Advanced IP Defense, you can create additional profiles for different security zones or refine your existing rules based on traffic patterns and security requirements. Monitor the logs regularly to ensure your policies are effective and adjust rules as needed.

    Create an Advanced IP Defense Profile (PAN-OS 11.1.x and Later)

    Configure Advanced IP Defense on PAN-OS 11.1.x and later using predefined External Dynamic Lists (EDLs) to block malicious IP addresses.
    For PAN-OS 11.1.x and later, Advanced IP Defense is available through predefined External Dynamic Lists (EDLs) that are automatically delivered via content updates. These EDLs contain curated, priority-ranked lists of malicious IP addresses identified by the Advanced IP Defense cloud service, allowing you to block threats using your existing security policy rules. On PAN-OS 12.2 and later, you can also use the full Advanced IP Defense profile-based architecture for granular attribute-level matching and direct-to-IP detection.
    The Advanced IP Defense EDLs are delivered in the antivirus content package and installed automatically when you update dynamic content. The system performs Top-K trimming at install time based on your hardware platform's EDL capacity, so the same content package works across all supported devices. Each list is ranked by priority in descending order (first entry = highest priority).
    1. Log in to the
    2. Verify that you have an active Advanced IP Defense license.
      Select DeviceLicenses and verify that the Advanced IP Defense license is available and has not expired.
    3. Update to the latest content package.
      Select DeviceDynamic Updates and check for the latest antivirus content release. The Advanced IP Defense EDLs are delivered through this package. See Keep Your Firewall Content Current for scheduling automatic content updates.
    4. Verify that the Advanced IP Defense EDLs are available.
      Select ObjectsExternal Dynamic Lists and look for the predefined Advanced IP Defense EDLs. The following EDLs are delivered through the content package:
      EDL NameDescriptionStandard TierFull Tier
      Adv. IP Defense: C2 infrastructureIPs hosting C2 services or bound to C2 domains. Covers active command-and-control server infrastructure.5,0005,000
      Adv. IP Defense: Hardcoded in malwareIPs hardcoded in malware samples or appearing in exploitation payload shellcode.1,0001,000
      Adv. IP Defense: VPNIPs owned by commercial VPN service providers.5,00010,000
      Adv. IP Defense: ProxiesIPs hosting proxy services such as HTTP, SOCKS, OpenVPN, and V2Ray.2,00060,000
      Adv. IP Defense: Scanner and brute-forceIPs conducting scanning or brute-force activities.1,00020,000
      Adv. IP Defense: Exposed vulnerable servicesIPs hosting publicly reachable services vulnerable to known CVEs or exploits.2,0004,000
      The AV content package delivers the same set of EDL files to all platforms. At install time, the system automatically trims each list to the appropriate size based on your hardware platform's capacity. You do not need to select a tier manually. Standard tier platforms (such as PA-3200, PA-3400, PA-3500, and PA-5500 series) receive a condensed record set, while Full tier platforms (such as PA-1400, PA-5200, PA-5400, PA-7500 series, VM-Series, and Prisma Access) receive the complete record set.
      An IP address appears in only one EDL even if it has multiple attributes. When an IP qualifies for multiple lists, it is placed in the highest-severity list based on the following priority (highest to lowest): C2 infrastructure, Hardcoded in malware, VPN, Proxies, Scanner and brute-force, Exposed vulnerable services.
    5. Create security policy rules that reference the Advanced IP Defense EDLs.
      Select PoliciesSecurity and create a new security policy rule for each Advanced IP Defense EDL you want to enforce. See Create a Security Policy Rule for detailed instructions on configuring security policy rules.
      For each rule:
      • In the Source or Destination tab, click Add and select the Advanced IP Defense EDL. Use the Source Address field to match inbound traffic from malicious IPs, or the Destination Address field to match outbound traffic to malicious IPs.
      • In the Actions tab, set the action to Deny (block and drop) or Allow with logging enabled (alert-only mode for initial monitoring).
      • In the Actions tab, enable Log at Session End and attach a log forwarding profile to forward matches to your SIEM or Strata Logging Service.
      Position the Advanced IP Defense EDL rules before your general allow rules in the policy rulebase to ensure they are evaluated first. See Security Policy for more information about rule ordering and evaluation.
    6. Commit your changes.
      Click Commit to apply the security policy rules to your firewall.
    7. Monitor EDL-based threat activity.
      Select MonitorLogsTraffic to view logs for traffic that matched the Advanced IP Defense EDL rules. Filter by the rule name or use the destination/source EDL columns to identify which EDL triggered the match.
    The Advanced IP Defense EDLs are updated with each content package release. Schedule automatic content updates to ensure your EDLs reflect the latest threat intelligence. On PAN-OS 12.2 and later, you can also enable the full Advanced IP Defense profile-based architecture for granular attribute-level matching, direct-to-IP detection, and real-time cloud lookups. The predefined EDLs remain available alongside profile-based controls.
    When you upgrade from an earlier PAN-OS release to 12.2 or later, your existing Advanced IP Defense predefined EDLs and the security policy rules that reference them remain intact. You do not need to reconfigure EDL-based policies after the upgrade. You can continue using the EDLs for IP-based blocking while you evaluate and deploy the full profile-based controls.

    © 2026 Palo Alto Networks, Inc. All rights reserved.