Allow Listing GlobalProtect Mobile Users (Strata Cloud Manager)

1. Go to WorkflowsPrisma Access SetupGlobalProtectInfrastructure and edit Prisma Access Locations settings.
2. Display the IP addresses for Prisma Access locations.

   1. Enable egress IP allow listing to display the IP addresses for onboarded Prisma Access locations.
   2. Copy and add the allocated IP addresses to the allow lists of your SaaS applications.
   3. Migrate to confirm the IP addresses allocated for the onboarded locations in Prisma Access.

3. Retrieve the IP addresses for a newly-onboarded location or during an auto-scaling event.

   You can also retrieve the public IP addresses using the Prisma Access UI instead of using the API.

   1. Select the Location name to find the new egress IP addresses allocated to the location.
   2. Select Confirmed adding to my IP Allowlist to add these IP addresses to the allow lists for your SaaS applications before you confirm them in Prisma Access.

      If you have IPv6 addresses, select Confirmed adding to my IPv6 Allowlist. Prisma Access provides you with an IPv6 subnet instead of specific IPv6 addresses.

      Any check boxes that are grayed out indicate IP addresses that are already being used and you cannot add or remove them. The Allocated ingress IP addresses are the ingress IP addresses you should add to your NGFW allow list or client endpoint policies.

4. Push your changes to Prisma Access.

Statuses of Allocated Egress IP Addresses

Field	Description
Status	Provisioned—You have added the egress IP addresses to the allow lists of your SaaS applications, confirmed the IP addresses in Prisma Access, and pushed your changes to fully provision them. Partially Provisioned—You have added the first set of egress IP addresses, confirmed them in the Prisma Access, and pushed your changes. However, Prisma Access has added another set of IP addresses as part of an autoscale event, and those IP addresses are not yet confirmed in Prisma Access. Not Provisioned—Prisma Access has allocated IP addresses for the location, and you have added the egress IP addresses to the allow lists of your SaaS applications and confirmed them in Prisma Access, but you have not yet onboarded this location. Can’t be Provisioned—You have onboarded this location, but have not yet confirmed in Prisma Access and pushed your changes.
Autoscale Status	Allowed—You have specified IP addresses as being added to the allow lists in the Prisma Access UI. Autoscale events affect all the onboarded locations in a compute location. When an autoscale event occurs for a location and you have not yet confirmed the addresses as being added to your allow lists, all locations in that compute location will show an Autoscale Status of Not Allowed.to the allow lists. Not Allowed—You have not specified all IP addresses as being added to your allow lists in the Prisma Access UI, or you have not committed and pushed your changes after marking them as added. If Prisma Access triggers an autoscale event, Prisma Access won’t provision more IP addresses to add more capacity for the location. Every time that you add a location, or every time that Prisma Access adds IP addresses as a result of an autoscale event, you need to refresh the page that contains the Egress IP Allow List table, specify Added to My Allow List to mark the IP addresses as being added to your organization’s allow lists, and Commit and Push your changes. To keep informed of any IP addresses that Prisma Access adds as a result of an autoscale event, you should set up a URL where Prisma Access will notify you of IP address changes.

The Egress IP Allowlists table also indicates the number of IP addresses that are confirmed and not yet confirmed in Prisma Access. For example, 1/2 means, one out of two IP addresses allocated for the location are confirmed in Prisma Access.