>
    Strata Copilot
    Context-Driven IP Address Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Mobile Users
    5. Mobile Users: GlobalProtect
    6. Context-Driven IP Address Manager
    Download PDF
    Prisma Access

    Context-Driven IP Address Manager

    Table of Contents

    Context-Driven IP Address Manager

    Discover Context-Driven IP Address Manager for mobile users
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access version 6.2
    • GlobalProtect™ version 6.2.8-h9
    • Prisma Access Agent version 26.2.0.27
    • The Context-Driven IP Address Manager requires the Innovation release (12.1.8)
    This is a Limited Availability release. To activate this functionality, reach out to your Palo Alto Networks account representative immediately upon Strata Cloud Manager activation.
    The Context-Driven IP Address Manager feature supports the following with IPv4 addresses:
    • Mobile Users
    • Remote Networks
    • Service Connections
    • ZTNA Connectors
    • App Acceleration
    In the global digital economy, export control compliance is a business imperative. Regulatory frameworks such as the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR) mandate strict oversight of how sensitive technology and data are accessed, specifically tied to user location and nationality.
    In modern cloud environments, an export occurs the moment controlled data is electronically transmitted across a defined border. Because sensitive information often resides in hybrid environments across multiple jurisdictions, organizations must align access with both internal security policies and government mandates.
    This creates two primary areas of continuous risk:
    • Geo-Location Policy Enforcement—Ensuring users only access data from approved locations and that data residency remains compliant. This is critical during international travel, where unauthorized access can inadvertently trigger a regulatory violation.
    • Sanctioned Region Enforcement—Maintaining absolute access restrictions for users connecting from sanctioned countries, regardless of their identity or credentials.
    Historically, organizations have managed these challenges through a fragmented mix of VPN concentrators, firewalls, VRFs, and network access control lists (NACLs). This legacy approach leads to operational complexity and inconsistent enforcement.
    Prisma SASE provides a unified, policy-driven architecture that simplifies compliance without compromising user experience. To help organizations meet evolving global demands, the Prisma Access Context-Driven IP Address Manager allows administrators to define granular policies that dynamically assign source IP addresses based on the combination of these three real-time factors:
    • User Geo-Location—The real-time physical location of the user’s device.
    • Prisma Access Location—The specific Prisma Access gateway (such as US-East, US-West) the user connects through.
    • User/Group Membership—The user’s authenticated identity and role with the organization.
    Using the Prisma Access Context-Driven IP Address Manager, organizations can enforce the strictest export control requirements while ensuring a seamless experience for the modern, mobile workforce.

    Configure a Context-Driven IP Pool

    Use the following guidelines when configuring a context-driven IP pool for mobile users:
    • Number of context-driven IP pool profiles per tenant: 10K
    • IP prefixes per pool profile: 256
    • Users and user groups combined per IP pool profile: 50K
    • User per group: 50k
    • Group membership per user: 32
    • Maximum IP pools per tenant: 50k
    • IP prefix length: /20
    • Custom geolocation prefix length: /12 to /32
    • Total number of users per tenant: 125K
    • Maximum IP addresses per tenant: 200K
    • Total number of user groups per tenant: 5K
    Using the guidelines mentioned above, perform the following steps to configure a context-driven IP pool for mobile users.
    1. In Strata Cloud Manager, go to ConfigurationNGFW and Prisma AccessConfiguration ScopeGlobalProtectSetup
    2. Select the InfrastructureInfrastructure Settings sand select the gear icon.
    3. From the Context-Aware Client IP Pool section, select Add IP Pool for the context-driven IP addresses.
    4. Create an IP Pool Profile. Under Match Criteria, select:
      • Locations—The user's Prisma Access gateway locations. Click Any or Select Theaters, Prisma Access Location Groups, or Prisma Access Locations.
      • Users—Identify the users. Click Any or Select Users or User Groups.
      • User Geo-Location—The user's physical location. Click Any or Select a Predefined or Custom geo-location.
    5. Give the new IP pool an ID. Under IP Pools, enter an IP address, and Save.
    6. Verify your changes by going to GlobalProtectSettings, viewing the Tunnel Statistics, and verifying the Assigned IP Address(es).

    © 2026 Palo Alto Networks, Inc. All rights reserved.