IP Address Pools in a Mobile User—GlobalProtect Deployment
Focus
Focus

IP Address Pools in a Mobile User—GlobalProtect Deployment

Table of Contents

IP Address Pools in a Mobile User—GlobalProtect Deployment

Make sure that you have specified an IP address pool that allows enough coverage for the mobile users in your organization. It is important to remember that each unique user can use multiple devices to connect to Prisma Access at the same time, and each connected device requires a unique IP address from the pool. The addresses in this pool must not overlap with other address pools you use internally or with the IP subnet you assign when you Enable the Service Infrastructure.
We recommend that the number of IP addresses in the pool is 2 times the number of mobile user devices that will connect to Prisma Access. If your organization has a bring your own device (BYOD) policy, or if a single user has multiple user accounts, make sure that you take those extra devices and accounts into consideration when you allocate your IP pools. If your pool space is limited, you can specify a smaller address pool; however, if your IP address pool reaches its limit, additional mobile user devices will not be able to connect.
In Panorama, the UI validates that you enter valid IP subnets (for example, if you enter a pool with a subnet of less than /23, it will prompt you to change it). However, it does not check to ensure that you have allocated sufficient IP addresses for your deployment.
This validation is not available if you configure locations using CLI. If you deploy all locations using CLI, we recommend that you add a /18 address in the Worldwide pool for mobile users.
Prisma Access checks your configuration to make sure that you have specified the following minimum IP address pool:
  • A minimum of /23 (512 IP addresses) is required for either a Worldwide or regional address pool.
  • If you do not onboard any Prisma Access gateways in a region, an IP address pool for that region is not required. For example, if you specify gateways in the US East, US Northwest, and US Northeast locations, you need to only specify an IP address pool for the North America & South America region. Conversely, if you enable mobile user locations in Europe without specifying either a Worldwide address pool or an IP address pool in Africa, Europe, & Middle East, your deployment will fail.
  • If you specify a mix of Worldwide and regional pools, Prisma Access uses the IP pools in the region first. If regional pools are exhausted, Prisma Access will take IP address blocks from the Worldwide pool, which allows you to configure extra IP addresses in the Worldwide IP address pool to function as a fallback pool.
    If you specify more than one block of IP address pools, Prisma Access uses the pools in the order that you entered them during mobile user setup.