Report Advanced IP Defense False Positives

1. Identify the false positive in your Advanced IP Defense logs.

   Review the threat logs to find the log entry for the traffic you believe was incorrectly matched. Note the following details from the log entry:

   • Destination IP address that was incorrectly attributed
   • IP attribute category and subcategory that triggered the match
   • Policy rule name and action taken
   • Timestamp of the event
   • The legitimate service or application that the IP hosts
2. Create an exception to mitigate the immediate impact.

   While you investigate and report the false positive, create an exception in your Advanced IP Defense profile for the affected IP address. This prevents the IP from being blocked or alerted on while the false positive report is under review. You can create an IP-based exception, an IP-port pair exception for more granular control, or an EDL-based exception if multiple related IPs are affected.
3. Gather supporting evidence for the false positive report.

   Collect information that demonstrates the IP is legitimate. This can include:

   • The domain name and service hosted on the IP
   • DNS records showing the IP is associated with a legitimate domain
   • WHOIS information for the IP showing the registered owner
   • Traffic patterns showing the IP is used for legitimate business purposes
   • Any relevant threat intelligence reports from third-party sources that confirm the IP is benign
4. Report the false positive to Palo Alto Networks.

   Open a support case with Palo Alto Networks and include the following information:

   • The IP address and the attribute that you believe is a false positive
   • The supporting evidence you gathered
   • The Advanced IP Defense threat log entries showing the incorrect match
   • Your firewall model, PAN-OS version, and Advanced IP Defense profile configuration

   The Advanced IP Defense research team tracks all false positive reports through a change request process and investigates each report to determine whether the attribution should be corrected.
5. Monitor for the attribution correction.

   After reporting the false positive, monitor your Advanced IP Defense logs for the affected IP. Once the research team corrects the attribution, the IP's attributes are updated in the Advanced IP Defense cloud service and the correction propagates to your firewall on the next cache refresh. The cache TTL for most threat-related attributes is 300 seconds (5 minutes), so corrections typically take effect within minutes of being published. After you confirm the correction, remove the temporary exception you created.