How the GlobalProtect App Selects Prisma Access Locations for Mobile Users
Focus
Focus
Prisma Access

How the GlobalProtect App Selects Prisma Access Locations for Mobile Users

Table of Contents

How the GlobalProtect App Selects Prisma Access Locations for Mobile Users

Learn how the GlobalProtect app selects a location when Prisma Access mobile users log on.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access license
When a mobile user connects to a Prisma Access location, the app uses the following selection process to determine to which location it connects.
You enable the mobile user locations where you want Prisma Access to be present during mobile user onboarding. If you do not select the location during onboarding, Prisma Access does not use it in your deployment.
  • If the mobile user connects in a country that has a Prisma Access location, the user connects to the location in that country.
  • If the mobile user cannot connect to an in-country location for any reason, Prisma Access selects from one of the following mobile user locations to connect the user based on region.
    • Asia, Australia & Japan: Hong Kong, Japan Central, or Japan South
    • Africa, Europe & Middle East: Netherlands Central
    • North America & South America: US Northwest
    Palo Alto Networks recommends that you enable at least one of these locations in their respective regions during mobile user onboarding to provide redundancy. If you have mobile users who connect to Prisma Access from a country that does not have a Prisma Access location, you must enable at least one of the fallback locations in the preceding list.
    The Hong Kong, Japan Central, Japan South, Netherlands Central, and US Northwest locations can accept client connections from anywhere and are known as global fallback locations. In addition to these locations, you can enable one or more of the following locations which also act as global fallback locations:
    • Bahrain
    • France North
    • Ireland
    • South Africa West
    • South Korea
  • Palo Alto Networks recommends that you enable locations in more than one compute location for redundancy purposes.
  • If you use on-premises gateways with Prisma Access locations, you can specify priorities in Prisma Access to let mobile users connect to either a specific on-premises GlobalProtect gateway or a Prisma Access location. See Manage Priorities for for details.
  • When mobile users connect, the GlobalProtect app does not use the following Prisma Access locations in the automatic gateway selection process, even if you selected the Prisma Access locations in the plugin during onboarding. However, mobile users can still manually select one of these locations and set it as a preferred location (gateway) as long as you allow them to manually select those locations during mobile user onboarding:
    • Australia: Australia East
    • Brazil: Brazil East and Brazil Central
    • France: France South
    • Germany: Germany North and Germany South
    • India: India South
    • Mexico: Mexico West
    • Netherlands: Netherlands South
    • Pakistan: Pakistan West
    • Russia: Russia Northwest
    • Spain: Spain East
    You might have to change your Connect Method to On-Demand for the mobile user to manually connect to a gateway.