| Cloud lookup timeout | The firewall queried the Advanced IP Defense cloud service for IP attributes but didn't receive a response within the configured timeout. Traffic is allowed without attribute enforcement (fail-open). | Increase the cloud lookup timeout value if your network has high latency. Verify network connectivity to the Advanced IP Defense cloud service endpoints on port 443. Check whether a proxy server is required and properly configured. |
| DNS cache at maximum capacity | The firewall's local DNS cache reached its maximum capacity for storing DNS response records. The firewall fails open on direct-to-IP detection and doesn't take action on no-DNS traffic until capacity is available. | Monitor DNS cache utilization. A sustained full cache may indicate that the firewall is processing a high volume of DNS traffic relative to its hardware capacity. Review whether all zones require direct-to-IP detection or if you can limit it to high-risk zones. |
| IP not in cloud database | The Advanced IP Defense cloud service has no attributes for the queried IP. If a Bloom filter (negative cache) is deployed, the firewall skips the cloud lookup entirely for IPs known to have no attributes. | No action required. Not all publicly routable IPs have assigned attributes. The Bloom filter reduces unnecessary cloud lookups for these IPs and is refreshed periodically through the cloud storage bucket. |
| Private IP address | The destination IP is a private (RFC 1918) address. Advanced IP Defense only evaluates publicly routable IPv4 addresses. Private IPs are automatically allowed without any cloud lookup or attribute check. | No action required. This is expected behavior. Advanced IP Defense is designed to protect against threats on public IP address space only. |
| IP in AIPD allowlist | The destination IP matches an entry in the AIPD allowlist. The firewall skips the attribute lookup entirely. However, the IP's netblock owner attributes (such as cloud provider) are still available in the allowlist entry for attribute-based enforcement. | Review the AIPD allowlist entries if you believe a malicious IP is being allowed. Allowlist entries are pre-populated by the Advanced IP Defense research team and updated through the cloud storage bucket. Contact Palo Alto Networks Support if you believe an allowlist entry is incorrect. |
| IP in no-DNS allowlist | The destination IP or port matches an entry in the no-DNS allowlist, causing the firewall to skip the direct-to-IP detection check. The traffic is treated as if a prior DNS resolution occurred. Other IP attribute checks still apply. | Review the no-DNS allowlist if you believe direct-to-IP connections to a specific IP should be flagged. The no-DNS allowlist covers protocols that legitimately connect directly to IP addresses (such as BGP, SIP, STUN, and MQTT) as well as well-known service IPs. |
| Stale allowlist data | The firewall can't reach the cloud storage bucket to pull updated allowlist files. It continues using the most recently cached version, but entries may be outdated. | Verify network connectivity to the cloud storage endpoint. Check whether firewall security policies or proxy configurations are blocking outbound access. Review the last successful allowlist pull timestamp in the firewall system logs. |
| Allowlist truncated due to memory limits | The firewall's available memory can't hold the full per-tenant allowlist. Lower-priority entries are dropped. The priority order from highest to lowest is: no-DNS ports, no-DNS IPs, no-DNS IP-port pairs, generic IP subnets, and generic individual IPs. | Review the firewall's memory utilization. The cloud service stores the full allowlist without memory constraints, so cloud-side checks still use the complete list. IPs that were dropped from the local allowlist are checked against the cloud service on a cache miss. |
| No Advanced IP Defense profile attached to zone | Traffic passes through a security zone that doesn't have an Advanced IP Defense profile attached. No attribute lookup or direct-to-IP detection occurs for traffic in that zone. | Verify that an Advanced IP Defense profile is attached to all security zones where you want IP-based threat protection. Select the zone configuration and confirm the Advanced IP Defense profile assignment. |
| EDL not referenced in security rules (PAN-OS 12.1.x and 11.2.x) | On PAN-OS 12.1.x and 11.2.x, Advanced IP Defense uses predefined EDLs. If no security policy rule references these EDLs, traffic to malicious IPs isn't blocked. | Verify that your security policy rules reference the predefined Advanced IP Defense EDLs in the source or destination address fields. Ensure the latest content package is installed, as the EDLs are delivered through content updates. |
