>
    Strata Copilot
    Add a New Compute Location for a Deployed Prisma Access Location
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Advanced Deployments
    5. Add a New Compute Location for a Deployed Prisma Access Location
    Download PDF
    Prisma Access

    Add a New Compute Location for a Deployed Prisma Access Location

    Table of Contents

    Add a New Compute Location for a Deployed Prisma Access Location

    Learn about how IP addresses change and how to use a new compute location for an existing location.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access license
    To optimize performance and improve latency, Prisma Access can introduce new compute locations for locations you have already deployed as part of a plugin upgrade. When you upgrade the plugin, the existing compute location-to-location mapping does not change, but you can choose to take advantage of the new compute location. If you change the compute location, Prisma Access changes the gateway and portal IP addresses (for mobile users) and service endpoint addresses (for remote networks) for the location or locations to which the new compute location is associated. If you use allow lists in your network to provide users access to internet resources such as SaaS applications or publicly accessible partner applications, you need to add these new IP addresses to your allow lists.
    To upgrade to a new compute location after it becomes available, complete the following task.
    Since you need to allow time to delete and add the existing location and change your allow lists (for mobile users) or peer IPSec tunnel IP address (for remote network deployments), Palo Alto Networks recommends that you schedule a compute location change during a maintenance window or during off-peak hours.
    To reduce down time for mobile user deployments, use the API to pre-allocate the new mobile user gateway and portal IP addresses before you perform these steps.
    1. (Remote Network deployments that allocate remote network bandwidth by compute locations only) Add bandwidth for the new remote network compute locations.
      1. Go to the area where you allocate bandwidth for remote network locations.
        • For Prisma Access (Managed by Strata Cloud Manager) deployments, go to ConfigurationNGFW and Prisma AccessConfiguration ScopeRemote NetworksBandwidth Management.
        • For Prisma Access (Managed by Panorama) deployments, go to PanoramaCloud ServicesConfigurationRemote Networks and click the gear icon in the Bandwidth Allocation area.
      2. Add bandwidth for the new compute location.
      3. Wait for the bandwidth to be reflected in the total bandwidth; then, click OK.
    2. (Mobile User deployments only) Retrieve the new gateway and portal IP addresses using the API script and add them to your allow lists.
    3. Delete the Service Connection, Remote Network connection, or Mobile User location associated with the new compute location.
    4. Push config (for Prisma Access (Managed by Strata Cloud Manager) deployments) or Commit and Push (for Prisma Access (Managed by Panorama) deployments).
    5. Re-add the locations you just deleted.
    6. Perform another Push Config or Commit and Push.
    7. (Remote Network and Service Connection deployments only) Change your CPE to point to the new IP addresses for the IPSec tunnel for the remote network connection or service connection and configure the new Service Endpoint Address as the peer FQDN or address for the remote network IPSec tunnel on your CPE.
      When you delete and re-add a remote network connection, the IP address of the IPSec tunnel on the Prisma Access side changes.
      To find your service endpoint address for remote networks:
      • For Prisma Access (Managed by Strata Cloud Manager) deployments, go to ConfigurationNGFW and Prisma AccessConfiguration ScopeRemote Networks and make a note of the Service Endpoint Address.
      • For Prisma Access (Managed by Panorama) deployments, go to PanoramaCloud ServicesStatusNetwork DetailsRemote Networks and make a note of the Service Endpoint Address.
      To find your service endpoint address for service connections:
      • For Prisma Access (Managed by Strata Cloud Manager) deployments, go to ConfigurationNGFW and Prisma AccessConfiguration ScopeService Connections and make a note of the Service Endpoint Address.
      • For Prisma Access (Managed by Panorama) deployments, go to PanoramaCloud ServicesStatusNetwork DetailsService Connection and make a note of the Service Endpoint Address.
    8. (Mobile User Deployments Only) After a location is remapped, retrieve the new Gateway FQDN and add it to your SAML provider's authentication configuration.
      If a mobile users location is remapped, the gateway FQDN might change after the infrastructure upgrade that causes the remapping, which could cause issues with SAML authentication. To find the gateway name:
      • In Prisma Access (Managed by Strata Cloud Manager), select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessGlobalProtectGlobalProtect SetupInfrastructureInfrastructure Settings, click the gear to view the Infrastructure Settings, and copy the renamed gateway in the Gateway FQDNs area.
      • In Prisma Access (Managed by Panorama), select PanoramaCloud ServicesStatusNetwork DetailsMobile Users—GlobalProtect and copy the renamed gateway in the Gateway FQDN area.

    © 2026 Palo Alto Networks, Inc. All rights reserved.