>
    Strata Copilot
    Edit Advanced IP Defense Connectivity Settings
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced IP Defense
    3. Edit Advanced IP Defense Connectivity Settings
    Download PDF
    Advanced IP Defense

    Edit Advanced IP Defense Connectivity Settings

    Table of Contents

    Edit Advanced IP Defense Connectivity Settings

    Configure connectivity settings to ensure reliable communication between your firewall and the Advanced IP Defense cloud service.
    Where Can I Use This?What Do I Need?
    • PAN-OS 12.2 and later
    • Strata Cloud Manager
    • Advanced IP Defense license
    • Admin access to firewall or Strata Cloud Manager
    • Network connectivity to Advanced IP Defense cloud service endpoints
    Advanced IP Defense relies on continuous communication between the firewall and the cloud service to deliver real-time threat detection. The firewall sends two types of messages to the cloud: copies of DNS response IP-TTL pairs that the cloud service uses to build a per-tenant DNS state table, and Advanced IP Defense lookup requests that query IP attributes and direct-to-IP status for a given destination. Because these exchanges happen inline with traffic processing, connectivity latency and reliability directly affect detection accuracy and user experience.
    The cloud lookup timeout controls how long the firewall waits for an attribute response before allowing traffic to pass. If the cloud lookup times out, the firewall fails open to preserve business continuity -- it allows the traffic rather than blocking it. A lower timeout reduces latency for end users but increases the chance that the firewall misses an attribute check. A higher timeout gives the cloud service more time to respond but can slow traffic processing. You should tune this value based on the network latency between your firewall and the nearest Advanced IP Defense cloud endpoint.
    The firewall caches IP attributes locally to reduce the volume of cloud lookups. Short-lived attributes such as malware C2 indicators and scanning activity have a cache TTL of 300 seconds (5 minutes), while stable attributes such as netblock owner and cloud provider classifications have a cache TTL of 86,400 seconds (24 hours). The firewall only queries the cloud service on a cache miss -- when it encounters an IP that isn't in the local cache or whose cached attributes have expired. An optional Bloom filter (negative cache) can further reduce lookups by informing the firewall that the cloud service has no attributes for certain IPs.
    The firewall also periodically pulls updated allowlist files from a cloud storage bucket to pre-populate known-safe entries locally. This pull occurs at regular intervals and delivers two per-tenant files: one for the Advanced IP Defense allowlist and one for the no-DNS allowlist. If the firewall can't reach the cloud storage endpoint, it continues to use the most recent cached version of the allowlists. When the firewall reaches its maximum DNS cache capacity, it fails open on direct-to-IP detection and doesn't take action on no-DNS traffic until capacity is available.

    Edit Advanced IP Defense Connectivity Settings in Strata Cloud Manager

    Configure Strata Cloud Manager connectivity settings to enable communication with the Advanced IP Defense cloud service for real-time IP attribute lookups and direct-to-IP detection.
    Strata Cloud Manager manages connectivity settings for cloud-managed firewalls and Prisma Access deployments. Connectivity settings control how your cloud-managed infrastructure communicates with the Advanced IP Defense cloud service. Proper connectivity configuration ensures optimal performance and reliability of Advanced IP Defense threat detection across your cloud-managed environment.
    1. Use the credentials associated with your Palo Alto Networks support account and log in to the Strata Cloud Manager on the hub.
    2. Access the Advanced IP Defense connectivity settings in Strata Cloud Manager.
      Select ConfigurationDevice SettingsCloud Services to access connectivity settings for cloud-based security services.
    3. Configure the cloud lookup timeout value.
      The cloud lookup timeout determines how long the cloud-managed infrastructure waits for a response from the Advanced IP Defense cloud service before timing out. The default timeout is 100 milliseconds.
      Enter a timeout value in milliseconds. Consider your network latency and cloud service response times when setting this value. A lower timeout reduces latency but may result in more fail-open scenarios. A higher timeout provides more time for cloud lookups but may impact traffic processing speed.
      If the cloud lookup times out, traffic is allowed by default (fail-open) to ensure business continuity. Adjust the timeout based on your network conditions and security requirements.
    4. (Optional) Configure proxy server settings for cloud connectivity.
      If your cloud-managed infrastructure is deployed behind a proxy server or in an environment that requires proxy authentication, you must configure proxy settings to enable communication with the Advanced IP Defense cloud service.
      Select ConfigurationDevice SettingsServices and configure the proxy server settings:
      • Enter the proxy server IP address or FQDN
      • Specify the proxy server port number
      • Enter proxy authentication credentials if required
      • Enable the option to use proxy for inline cloud services
      The proxy server password must contain a minimum of six characters.
    5. Verify network connectivity to Advanced IP Defense cloud service endpoints.
      Ensure that your cloud-managed infrastructure has network connectivity to the Advanced IP Defense cloud service endpoints. The infrastructure must be able to reach the cloud service on port 443 (HTTPS) for secure communication.
      You can verify connectivity by:
      • Checking network routing to ensure traffic to cloud service endpoints is not blocked
      • Verifying that security policies allow outbound HTTPS traffic to cloud service IPs
      • Confirming that any proxy servers or firewalls between your infrastructure and the internet allow traffic to the cloud service
    6. Configure DNS resolution for cloud service endpoints.
      The cloud-managed infrastructure must be able to resolve the Advanced IP Defense cloud service domain names to IP addresses. Ensure that your infrastructure has access to DNS servers that can resolve these domain names.
      Select ConfigurationDevice SettingsServices and verify that DNS servers are configured. You can specify primary and secondary DNS servers to ensure redundancy.
    7. Test connectivity to the Advanced IP Defense cloud service.
      After configuring connectivity settings, test the connection to verify that the cloud-managed infrastructure can reach the Advanced IP Defense cloud service.
      Select ConfigurationDevice SettingsServices and click Test Connectivity to verify that the infrastructure can successfully communicate with the cloud service. A successful test confirms that your connectivity settings are correct.
    8. Monitor cloud service connectivity status.
      After enabling Advanced IP Defense, monitor the connectivity status to ensure the cloud-managed infrastructure maintains a stable connection to the cloud service.
      Select MonitorSystemCloud Services to view the status of cloud service connections. Check for any connectivity errors or warnings that may indicate network issues.
    9. Commit your changes.
      Click Commit to apply the connectivity settings to your Strata Cloud Manager configuration.

    Edit Advanced IP Defense Connectivity Settings in PAN-OS and Panorama

    Configure PAN-OS and Panorama connectivity settings to enable communication with the Advanced IP Defense cloud service for real-time IP attribute lookups and direct-to-IP detection.
    PAN-OS and Panorama manage connectivity settings for on-premises firewalls and Panorama-managed deployments. Connectivity settings control how your firewall or Panorama communicates with the Advanced IP Defense cloud service. Proper connectivity configuration ensures optimal performance and reliability of Advanced IP Defense threat detection across your on-premises infrastructure.
    1. Log in to the PAN-OS web interface.
    2. Access the Advanced IP Defense connectivity settings.
      In PAN-OS or Panorama, select DeviceSetupContent-ID to access the global connectivity settings for cloud-based security services.
    3. Configure the cloud lookup timeout value.
      The cloud lookup timeout determines how long the firewall waits for a response from the Advanced IP Defense cloud service before timing out. The default timeout is 100 milliseconds.
      Enter a timeout value in milliseconds. Consider your network latency and cloud service response times when setting this value. A lower timeout reduces latency but may result in more fail-open scenarios. A higher timeout provides more time for cloud lookups but may impact traffic processing speed.
      If the cloud lookup times out, traffic is allowed by default (fail-open) to ensure business continuity. Adjust the timeout based on your network conditions and security requirements.
    4. (Optional) Configure proxy server settings for cloud connectivity.
      If your firewall is deployed behind a proxy server or in an environment that requires proxy authentication, you must configure proxy settings to enable communication with the Advanced IP Defense cloud service.
      Select DeviceSetupServices and configure the proxy server settings:
      • Enter the proxy server IP address or FQDN
      • Specify the proxy server port number
      • Enter proxy authentication credentials if required
      • Enable the option to use proxy for inline cloud services
      The proxy server password must contain a minimum of six characters.
    5. Verify network connectivity to Advanced IP Defense cloud service endpoints.
      Ensure that your firewall has network connectivity to the Advanced IP Defense cloud service endpoints. The firewall must be able to reach the cloud service on port 443 (HTTPS) for secure communication.
      You can verify connectivity by:
      • Checking firewall routing to ensure traffic to cloud service endpoints is not blocked
      • Verifying that security policies allow outbound HTTPS traffic to cloud service IPs
      • Confirming that any proxy servers or firewalls between your firewall and the internet allow traffic to the cloud service
    6. Configure DNS resolution for cloud service endpoints.
      The firewall must be able to resolve the Advanced IP Defense cloud service domain names to IP addresses. Ensure that your firewall has access to DNS servers that can resolve these domain names.
      Select DeviceSetupServices and verify that DNS servers are configured. You can specify primary and secondary DNS servers to ensure redundancy.
    7. Test connectivity to the Advanced IP Defense cloud service.
      After configuring connectivity settings, test the connection to verify that the firewall can reach the Advanced IP Defense cloud service.
      Select DeviceSetupServices and click Test Connectivity to verify that the firewall can successfully communicate with the cloud service. A successful test confirms that your connectivity settings are correct.
    8. Monitor cloud service connectivity status.
      After enabling Advanced IP Defense, monitor the connectivity status to ensure the firewall maintains a stable connection to the cloud service.
      Select MonitorSystemCloud Services to view the status of cloud service connections. Check for any connectivity errors or warnings that may indicate network issues.
    9. Commit your changes.
      Click Commit to apply the connectivity settings to your firewall.

    © 2026 Palo Alto Networks, Inc. All rights reserved.