>
    Static IP Address Allocation for Mobile Users—GlobalProtect Deployments
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Mobile Users
    4. Mobile Users: GlobalProtect
    5. IP Address Pools for a GlobalProtect Mobile Users Deployment
    6. Static IP Address Allocation for Mobile Users—GlobalProtect Deployments
    Download PDF
    Prisma Access

    Static IP Address Allocation for Mobile Users—GlobalProtect Deployments

    Table of Contents

    Static IP Address Allocation for Mobile Users—GlobalProtect Deployments

    Learn about the benefits of using a static IP address for mobile users in a Mobile Users—GlobalProtect deployment.
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access
       5.1 Innovation
    • Minimum GlobalProtect version of 6.1.4
    To enable this functionality, reach out to your Palo Alto Networks account representative or partner.
    Some legacy networks use IP address-based authorization to restrict users’ access to internal or external resources. A
    Prisma Access
     Mobile Users—GlobalProtect deployment assigns users an IP address from the mobile users IP address pool you assign during onboarding, and this user-to-IP address mapping can change in subsequent logins. To retain user-to-IP address mapping,
    Prisma Access
     allows you to assign static IP addresses to users.
    You can also allocate IP addresses based on the theater as well as users.
    • Static IP Address Mapping for Users
      —By configuring a /32 address in the mobile user IP address pool, and using match criteria to associate that user with an IP address, you assign a static IP address that
      Prisma Access
       retains a specific user, allowing you to keep your current IP address-based security policy rules to control a user's access to resources.
    • Theater-Based IP Address Mapping
      —You can also allocate IP addresses based on the theater your users are in. For example, you can create a /30 subnet for a specific theater. These IP addresses are static for that theater. You can apply access to resources based on theater by creating security policy rules using the IP addresses you specify for that theater.
    Use the following guidelines when allocating static IP addresses:
    • If you specify multiple IP pools,
      Prisma Access
       evaluates the rules from top to bottom (similar to security policy rule processing) and assigns IP addresses based on the first match in the list of rules. For example, given a user in Europe who logs in to GlobalProtect,
      Prisma Access
       evaluates the processing rules. If the user does not match the
      Any (Worldwide)
       rule with the /32 subnet,
      Prisma Access
       assigns the user an IP address from one of the /24 subnets specified in the
      Africa, Europe & Middle East
       IP address pool.
    • You must integrate your
      Prisma Access
       deployment with the Cloud Identity Engine.
    • Up to 7,000 IP address pool profiles are supported per tenant.
    • The supported prefix length is between /24 and /32.
    • For each Mobile User
      Client IP Pool
       profile you create:
      • Up To 10 IP prefixes are supported.
      • Up to 256 users are supported.
    • Static IP addressing uses a
      Lease Period
       and a
      Grace Period
       to specify how long
      Prisma Access
       keeps a user-to-IP address association.
      • The
        Lease Period
         is the amount of time the user-to-IP address mapping is valid after you allocate it.
        The default lease period is 86400 seconds (one day).
        The minimum lease period is 3600 seconds (one hour).
        The maximum lease period is 7776000 seconds (90 days).
      • The
        Grace Period
         is the amount of time that, after a lease period expires,
        Prisma Access
         retains that user-to-IP address mapping without assigning it to another user.
        The default grace period is 14400 seconds (4 hours).
        The minimum grace period is 60 seconds.
        The maximum grace period is 7776000 seconds (90 days).

    Configure Static IP Address Allocation

    To configure static IP address allocation in a
    deployment, complete these steps.
    1. Go to
      Workflows
      Prisma Access Setup
      GlobalProtect
       and click the gear to highlight the
      Infrastructure Settings
      .
    2. Add a
      Client IP Pool
       for the static IP addresses.
    3. (
      Optional
      ) Assign a static IP address to a user.
      1. Give the IP address pool a unique
        Name
        .
      2. Select
        Any
         of the
        Theatres
         to give a user access to all
        Prisma Access
         theaters; or to restrict a single user to a specific theater,
        Select
         the theater from the drop-down.
      3. Select
         a user from the list of
        Users
        .
      4. In the
        IP Pools
         area, enter a pool with a prefix of /32.
        This is the IP address that
        Prisma Access
         assigns to the user.
      5. (
        Optional
        ) Enter a
        Lease Period
         and a
        Grace Period
         for the user-to-IP address mapping.
      6. Save
         your changes.
    4. (
      Optional
      ) Create an IP address pool based on a theater and, optionally, users.
      You can create these types of IP address and user-based pools:
      • Enter a theater and don't specify a user. In this case,
        Prisma Access
         provides an IP address to any GlobalProtect user who logs in to that theater.
      • Enter a theater of
        Any (Worldwide)
         and enter specific users to match the IP address pool you specify. In this case,
        Prisma Access
         provides an IP address to any user who matches the users in the list.
      • Enter a specific theater and enter specific users to match the IP address pool you specify. In this case,
        Prisma Access
         provides an IP address to any user who logs in from that theater and matches the users in the list.
      1. Give the IP address pool a unique
        Name
        .
      2. Select
         the theater to which you want to restrict access, or select
        Any (Worldwide)
         to match users from all theaters.
      3. (
        Optional
        )
        Select
         one or more users from the list of
        Users
        .
      4. Add one or more
        IP Pools
         with a prefix between /24 and /32.
        These are the addresses that
        Prisma Access
         assigns to the user and theater. Since a /32 would provide only one IP address, we recommend a minimum subnet of /30.
      5. If you assigned one or more users to the IP Address pool, assign a
        Lease Period
         and a
        Grace Period
         for the user-to-IP address mapping.
        Enter the time in seconds. The
        Lease Period
         is the amount of time the user-to-IP address mapping is valid after you allocate it.
        • The default lease period is 86400 seconds (one day).
        • The minimum lease period is 3600 seconds (one hour).
        • The maximum lease period is 7776000 seconds (90 days).
        The
        Grace Period
         is the amount of time that, after a lease period expires,
        Prisma Access
         retains that address without assigning it to another user.
          • The default grace period is 14400 seconds (4 hours).
          • The minimum grace period is 60 seconds.
          • The maximum grace period is 7776000 seconds (90 days).
      6. Save
         your changes and
        Push
         the configuration changes.
    5. Verify your changes by going to
      GlobalProtect
      Settings
       on the client machine, viewing the
      Tunnel Statistics
      , and verifying the
      Assigned IP Address(es)
      .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.