IP Optimization for Mobile Users—GlobalProtect Deployments
Focus
Focus
Prisma Access

IP Optimization for Mobile Users—GlobalProtect Deployments

Table of Contents

IP Optimization for Mobile Users—GlobalProtect Deployments

IP Optimization provides a simpler, deterministic public IP address allow listing experience, improved resiliency, and faster onboarding of Prisma Access tenants.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama)
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access license
  • Prisma Access version 5.0 or later
IP Optimization is a set of architectural enhancements that reduce the overall number of IP addresses in your deployment, simplifying your allow listing workflows while improving resiliency and enabling faster onboarding of Prisma Access tenants.
  • Simpler Public IP Address Allow Listing for Mobile Users—GlobalProtect Deployments–Adding a Prisma Access location or experiencing a scaling event at an existing Prisma Access location could lead to new IP addresses being allocated to the mobile user security processing node (MU-SPN). It's a best practice to retrieve the new egress and gateway IP addresses that Prisma Access assigns and add them to an allow list in your network to avoid SaaS application or corporate firewall disruption. This can result in a situation where you're managing a large number of IP addresses. IP Optimization reduces the number of IP addresses you have to manage.
  • Faster Onboarding of Prisma Access Tenants–Without IP Optimization, you’d need to assign unique private IP addresses to each device across Prisma Access and your private networks, requiring you to allocate large IP blocks from your limited corporate routable IP address space. IP Optimization lets Prisma Access allocate addresses from a shared address space by default and NAT private application traffic.
IP Optimization is for new Prisma Access GlobalProtect deployments only. Existing GlobalProtect deployments are not eligible, including new tenants you create from an existing multitenant deployment. In addition, if you migrate your GlobalProtect deployment from using on-premises gateways and portals to Prisma Access, be sure that all users are running a GlobalProtect app version of 6.1.4 and later, 6.2.3 and later, or 6.3.0 and later before enabling this functionality.
Make a note of the following additional requirements for IP Optimization:
  • IP Optimization requires Prisma Access 5.0 or later for Mobile Users optimization , and can be enabled when you set up GlobalProtect for the first time.
  • When you set up GlobalProtect for the first time, you’ll be asked whether or not you want to enable Prisma Access IP Optimization.
  • IP Optimization deployments do not support IPv6 for access to public (external) apps; private app access is supported. To enable IPv6 for your new Prisma Access deployment, reach out to your Palo Alto Networks account team, who will open a TAC case to accommodate the request.
  • The API to retrieve Prisma Access IP addresses continues to work as it always has, even with IP Optimization enabled.