How the GlobalProtect App Selects a Prisma Access Location for Mobile Users
Focus
Focus

How the GlobalProtect App Selects a Prisma Access Location for Mobile Users

Table of Contents

How the GlobalProtect App Selects a Prisma Access Location for Mobile Users

When a mobile user connects to a Prisma Access location, the GlobalProtect app uses the following selection process to determine the location to which it connects.
You enable the mobile user locations where you want Prisma Access to be present during mobile user onboarding. If you do not select the location during onboarding, Prisma Access does not use it in your deployment.
  • If the mobile user connects in a country that has a Prisma Access location, the user connects to the location in that country.
  • If the mobile user cannot connect to an in-country location for any reason, Prisma Access selects from one of the following mobile user locations to connect the user based on region.
    • Asia, Australia & Japan: Hong Kong, Japan Central, or Japan South
    • Africa, Europe & Middle East: Netherlands Central
    • North America & South America: US Northwest
    Palo Alto Networks recommends that you enable at least one of these locations in their respective regions during mobile user onboarding to provide redundancy. If you have mobile users who connect to Prisma Access from a country that does not have a Prisma Access location, you must enable at least one of the fallback locations in the preceding list.
    The Hong Kong, Japan Central, Japan South, Netherlands Central, and US Northwest locations can accept client connections from anywhere and are known as global fallback locations. In addition to these locations, you can enable one or more of the following locations which also act as global fallback locations:
    • Bahrain
    • France North
    • Ireland
    • South Africa West
    • South Korea
  • Palo Alto Networks recommends that you enable locations in more than one compute location for redundancy purposes.
  • If you use on-premises gateways with Prisma Access locations, you can specify priorities in Prisma Access to let mobile users connect to either a specific on-premises GlobalProtect gateway or a Prisma Access location.
  • When mobile users connect, the GlobalProtect app does not use the following Prisma Access locations in the automatic gateway selection process, even if you selected the Prisma Access locations in the plugin during onboarding. However, mobile users can still manually select one of these locations and set it as a preferred location (gateway) as long as you allow them to manually select those locations during mobile user onboarding:
    • Australia: Australia East
    • Brazil: Brazil East and Brazil Central
    • France: France South
    • Germany: Germany North and Germany South
    • India: India South
    • Mexico: Mexico West
    • Netherlands: Netherlands South
    • Pakistan: Pakistan West
    • Russia: Russia Northwest
    • Spain: Spain East
    You might have to change your Connect Method to On-Demand for the mobile user to manually connect to a gateway.