Monitor Advanced IP Defense
Monitor Advanced IP Defense activity through dashboards, threat logs, and the Command Center to track IP-based threats across your network.
| Where Can I Use This? | What Do I Need? |
|---|
- PAN-OS 12.2 and later
- Strata Cloud Manager
- PAN-OS 11.1.x and later (EDL-based)
|
- Advanced IP Defense license
- Strata Logging Service forwarding configured (for Strata Cloud Manager visibility)
|
Palo Alto Networks provides several options to monitor Advanced IP Defense activity across your deployment. You can access high-level dashboards that visualize IP attribution trends and direct-to-IP connection patterns, drill down into specific threat sessions through log viewers, and review the overall health of your security subscriptions through the Command Center. The monitoring capabilities you have access to depend on your platform and PAN-OS version.
Advanced IP Defense generates threat logs whenever traffic matches an Advanced IP Defense policy rule. Each log entry records the matched IP attributes, the category and subcategory of the threat, the policy action taken (Block, Allow, or Alert), and session details such as source and destination IP, zone, and user identity. On PAN-OS 12.2 and later, these logs include granular attribute-level detail. On PAN-OS 11.1.x through 12.1.x, logs reflect EDL-based hits against the predefined Advanced IP Defense External Dynamic Lists.
In Strata Cloud Manager, you can monitor Advanced IP Defense through multiple integrated views. The Advanced IP Defense dashboard under Insights provides dedicated widgets that show traffic volume to the Advanced IP Defense cloud service, top direct-to-IP connections, traffic breakdowns by attribute category and subcategory, and a visualization of policy actions across categories. The Activity Insights threat view includes Advanced IP Defense alongside other cloud-delivered security services, and the Command Center Threats page provides an at-a-glance summary of Advanced IP Defense threat counts and best practice assessment status. You can also search for specific IP addresses through IOC Search to view the categories and subcategories associated with that IP.
Palo Alto Networks provides the following methods to monitor Advanced IP Defense activity based on your platform.
| Task | Description |
|---|
| Activity Insights | Visualize Advanced IP Defense threat trends organized by threat category and subcategory. Use the direct-to-IP filter to isolate outbound connections that bypassed DNS resolution, and drill down into individual detections from the threat chart. |
| Command Center | Get an executive-level summary of Advanced IP Defense threat counts, blocked vs. alerted threats, severity breakdowns, and the top policies generating alerts. Use the trend indicators to track changes in IP-based threat activity over time. |
| Threat Search | Run ad hoc queries against Advanced IP Defense threat logs using Advanced IP Defense-specific fields such as IP attributes, profile name, matched rule, ASN, and direct-to-IP flag. Use auto-suggestion filtering to quickly pivot from a specific detection to all related events. |
| View Logs | Browse threat log entries generated by Advanced IP Defense policy rule matches on the firewall or in Strata Cloud Manager. Review individual session details including matched attributes, policy actions, and connection metadata. |
| Report False Positives | Submit false positive reports to Palo Alto Networks when legitimate traffic is incorrectly matched by Advanced IP Defense policy rules. False positive reports help improve IP attribution accuracy and reduce future misclassifications across all customers. |
