Advanced IP Defense depends on continuous communication with the cloud service for real-time IP attribute lookups, direct-to-IP detection, and allowlist updates. If this communication degrades, the firewall falls back to locally cached data or fails open, reducing detection coverage. Monitoring cloud connectivity health helps you identify issues before they affect your security posture and distinguish between cloud-side service disruptions and local network or configuration problems.

The firewall exchanges two types of messages with the Advanced IP Defense cloud service during normal operation. DNS response copies (IP-TTL pairs from A and AAAA records) are forwarded to the cloud to build a per-tenant DNS state table used for direct-to-IP detection. AIPD lookup requests query the cloud for IP attributes when the firewall encounters a cache miss. A healthy deployment shows a steady flow of both message types. A drop in lookup volume may indicate a connectivity issue, while a spike may indicate that cached attributes are expiring faster than expected or that the Bloom filter (negative cache) needs refreshing.

In addition to real-time lookups, the firewall periodically pulls two per-tenant allowlist files from a cloud storage bucket: one for the AIPD allowlist and one for the no-DNS allowlist. These pulls occur at regular intervals. If the firewall can't reach the storage endpoint, it continues to use the most recently cached version of the allowlists, but entries may become stale over time. You can verify allowlist freshness by checking the timestamp of the last successful pull.

You can check the overall operational status of the Advanced IP Defense cloud service on the Palo Alto Networks Service Status Page. This page provides real-time incident reports, performance degradation notices, and scheduled maintenance windows for all cloud-delivered security services, including Advanced IP Defense. The service status can display as Operational, Degraded Performance, or Service Unavailable.