Advanced IP Defense Predefined EDLs (PAN-OS 11.1 and PAN-OS 12.1)
Reference for the predefined external dynamic lists (EDLs) that deliver Advanced IP Defense intelligence to enforcement points running PAN-OS
11.1 through 12.1.x.
| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (Managed by Strata Cloud Manager)
- NGFW (Managed by PAN-OS or Panorama)
- VM-Series
- Cloud NGFW for AWS
- Cloud NGFW on Azure
- Prisma Access
|
- Advanced IP Defense license
- PAN-OS 11.1 through 12.1.x
- Latest AV content update
|
The following predefined External Dynamic Lists (EDL) deliver curated subsets of Advanced IP Defense intelligence through the Anti-Virus content package. These EDLs
apply to enforcement points running PAN-OS 11.1 through 12.1.x only. If you
are running PAN-OS 12.2 or later release, use the full Advanced IP Defense
profile-based controls instead.
| EDL Name | Description |
|---|
| Advanced IP Defense: C2 | IPs hosting command-and-control services or bound to C2
domains |
| Advanced IP Defense: Hardcoded in Malware | IPs hardcoded in malware samples or appearing in exploitation payload
shellcode |
| Advanced IP Defense: VPN | IPs owned by commercial VPN service providers |
| Advanced IP Defense: Proxies | IPs hosting proxy services (HTTP, SOCKS, OpenVPN, V2Ray) |
| Advanced IP Defense: Scanner and Brute-force | IPs actively conducting scanning or brute-force activities |
| Advanced IP Defense: Exposed Vulnerable Services | IPs hosting publicly reachable services vulnerable to known CVEs or
exploits |
The AV content package delivers the same set of EDL files to all platforms. At install
time, the system automatically trims each list to the appropriate size based on your
platform's hardware capacity. You do not need to select a tier manually — the content
update determines the correct size for your enforcement point.
If an IP has multiple attributes, it appears in only one EDL based on severity priority
(highest to lowest): C2 infrastructure, Hardcoded in malware, VPN, Proxies, Scanner and
brute-force, Exposed vulnerable services.
Each EDL ranks IPs by priority in descending order. If platform capacity requires
truncation, the list retains the highest-priority entries.
EDL Priority and Deduplication
- The Standard tier is a strict subset of the Full tier. Every IP in the Standard
EDL also appears in the Full EDL.
- Your enforcement point receives only one tier per EDL category based on its
hardware profile. The content update handles tier selection automatically.
