Learn how to pre-allocate IP addresses so you can add
them to your allow lists.
Prisma Access uses gateway and portal IP addresses
for Mobile Users—GlobalProtect deployments, and authentication cache
service (ACS) and network load balancer IP addresses for Mobile
Users—Explicit Proxy deployments. Mobile Users—GlobalProtect IP
addresses are known as
egress IP addresses. If
you need to pre-allocate mobile user IP addresses before you onboard
the location (for example, if your organization needs to add the
IP addresses for Mobile Users—GlobalProtect deployments to allow
lists to give mobile users access to external SaaS applications),
you can
run an API script to
have Prisma Access pre-allocate these IP addresses for a location
ahead of time, before you onboard it. You can then add the location’s
egress IP addresses to your organization’s allow lists before onboarding
the location.
The API response also includes the public IP
subnets for the egress IP addresses for the requested location.
The egress IP addresses of any locations you add are a part of this
subnet. Adding the subnets to your allow lists provides for future
location additions without further allow list modification.
Prisma
Access does not pre-allocate your IP addresses and subnets unless
you request them using the API script. After you run the pre-allocation
script, they have a validity period of 90 days. The IP addresses
that Palo Alto Networks provides you are unique, not shared, and
dedicated to your Prisma Access deployment during the validity period.
You must onboard your locations before the validity period ends
or you lose the addresses; to find the validity period at any time,
run the API script.
Palo Alto Networks recommends that
you only pre-allocate IP addresses for locations that you want to
onboard later.
To pre-allocate IP addresses, complete
the following task.