IP Address Pools in a Mobile User—GlobalProtect Deployment
Make sure that you have specified an IP address pool
that allows enough coverage for the mobile users in your organization.
It is important to remember that each unique user can use multiple
devices to connect to Prisma Access at the same time, and each connected
device requires a unique IP address from the pool. The addresses
in this pool must not overlap with other address pools you use internally
or with the IP subnet you assign when you
Enable
the Service Infrastructure.
We recommend that the number of IP addresses in the pool is 2
times the number of mobile user devices that will connect to Prisma
Access. If your organization has a bring your own device (BYOD)
policy, or if a single user has multiple user accounts, make sure
that you take those extra devices and accounts into consideration
when you allocate your IP pools. If your pool space is limited,
you can specify a smaller address pool; however, if your IP address
pool reaches its limit, additional mobile user devices will not
be able to connect.
In Panorama, the UI validates that you enter valid IP subnets
(for example, if you enter a pool with a subnet of less than /23,
it will prompt you to change it). However, it does not check to
ensure that you have allocated sufficient IP addresses for your
deployment.
This validation is not available if you configure locations
using CLI. If you deploy all locations using CLI, we recommend that
you add a /18 address in the Worldwide pool for mobile users.
Prisma Access checks your configuration to make sure that you
have specified the following minimum IP address pool:
A minimum of /23 (512 IP addresses) is required for either
a Worldwide or regional address pool.
If you do not onboard any Prisma Access gateways in a region,
an IP address pool for that region is not required. For example,
if you specify gateways in the US East, US Northwest, and US Northeast
locations, you need to only specify an IP address pool for the North
America & South America region. Conversely, if you enable mobile
user locations in Europe without specifying either a Worldwide address
pool or an IP address pool in Africa, Europe, & Middle East,
your deployment will fail.
If you specify a mix of Worldwide and regional pools, Prisma
Access uses the IP pools in the region first. If regional pools
are exhausted, Prisma Access will take IP address blocks from the
Worldwide pool, which allows you to configure extra IP addresses
in the Worldwide IP address pool to function as a fallback pool.
If
you specify more than one block of IP address pools, Prisma Access
uses the pools in the order that you entered them during
mobile user setup.