>
    Strata Copilot
    How Advanced IP Defense Works
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced IP Defense
    3. How Advanced IP Defense Works
    Download PDF
    Advanced IP Defense

    How Advanced IP Defense Works

    Table of Contents

    How Advanced IP Defense Works

    Advanced IP Defense attaches security profiles to zones rather than individual Security policy rules, providing real-time cloud-backed IP inspection across all traffic that crosses a zone boundary.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • NGFW (Managed by PAN-OS or the Panorama® management server)
    • VM-Series
    • Cloud NGFW for AWS
    • Cloud NGFW on Azure
    • Prisma Access
    • Advanced IP Defense license
    • PAN-OS 12.2 and later

    Zone-Based Enforcement

    A security zone is a grouping of one or more interfaces (physical or virtual) that represents a segment of your network. Traffic flows freely within a zone, but it cannot move between zones without a Security policy rule that explicitly allows it. The more granular your zones, the more control you have over what traffic can reach sensitive applications and data.
    You can associate an Advanced IP Defense profile with one or more zones associated with any number of Security policy rules. The profile then inspects all traffic entering or leaving that zone, regardless of which Security policy rule the traffic matches. This means:
    • Broader coverage — The profile inspects every session that traverses the zone boundary. You do not need to add the profile to every Security policy rule individually.
    • One profile per zone — Each zone supports exactly one Advanced IP Defense profile. If you need different enforcement actions for different network segments, create separate zones with separate profiles.
    • One profile across many zones — You can attach a single profile to multiple zones to apply consistent enforcement across your network.
    • Immediate effect — When you attach a profile to a zone, enforcement begins on the next session that crosses that zone boundary. When you remove a profile, inspection stops immediately.
    Because Advanced IP Defense operates at the zone level, it inspects traffic before and independently of Security policy rule evaluation. This provides a foundational layer of IP reputation enforcement that complements your existing rule-based security policies.

    Traffic Inspection Flow

    When your enforcement point processes a session in a zone that has an Advanced IP Defense profile, the following inspection flow occurs:
    1. Allowlist check — The enforcement point checks whether the destination IP appears on the golden or customized allowlist. If the IP matches an allowlist entry, it bypasses the cloud lookup entirely.
    2. Local cache check — The enforcement point checks its local IP attribute cache (up to 1 million entries). If a valid (non-expired) entry exists, the enforcement point uses the cached verdict to evaluate the session against the profile match rules.
    3. Cloud lookup (asynchronous) — On a cache miss, the enforcement point immediately allows the session to pass (fail-open) and asynchronously sends a query to the Advanced IP Defense cloud service through the Management Plane. Once the verdict is returned, the local cache is populated and the policy is strictly enforced on all subsequent sessions matching that IP.
    4. Match evaluation — The enforcement point evaluates the returned attributes against the profile match rules. Rules specify an IP attribute category, a tag (or all tags in a category), and an action (alert or block). The enforcement point logs the result and enforces the configured action.
    The default cache-miss behavior is fail-open: the firewall allows the initial session to pass without delaying or dropping it, then enforces the policy on subsequent sessions once the cloud verdict populates the local cache. If a strict security posture is configured to drop traffic on unknown lookups, the firewall drops packets only while the Advanced IP Defense cloud service is reachable. If the Advanced IP Defense cloud service becomes unreachable, the firewall reverts to fail-open to prevent a network outage.

    Default Profile

    Advanced IP Defense ships a default profile named default through the content update package. The default profile contains match rules for all available IP attribute categories with every action set to alert. This gives you immediate visibility into IP-based threats without blocking any traffic, allowing you to monitor Advanced IP Defense verdicts and tune your security posture before enforcing block actions.
    You can clone the default profile to create custom profiles with specific match rules and actions tailored to your security requirements. You can also modify the default profile directly, but Palo Alto Networks recommends cloning it first so you always retain the baseline configuration for reference.

    Content Updates

    The PAN-OS content update package delivers the IP attribute categories, tags, and default profile configuration. When Palo Alto Networks introduces new categories or tags, they appear in the profile configuration UI after you install the updated content package. This content-driven model means you can adopt new security capabilities without upgrading PAN-OS.
    The Advanced IP Defense cloud service independently updates its IP classification algorithms and allowlists. Your enforcement point periodically downloads updated allowlists from the Advanced IP Defense cloud service to keep local allowlist entries current.

    Logging

    Advanced IP Defense generates a dedicated log subtype (ip-defense) under Threat logs. Each log entry includes the matched IP attribute category, the specific tag that triggered the match, the enforcement action (alert or block), and the evaluated IP address. You can view Advanced IP Defense logs alongside other threat logs in the PAN-OS web interface, Panorama, or Strata Cloud Manager Log Viewer.

    © 2026 Palo Alto Networks, Inc. All rights reserved.