Learn about the benefits of using a static IP address for mobile users in a Mobile
Users—GlobalProtect deployment.
| Where Can I Use This? | What Do I Need? |
|---|
- Prisma Access (Managed by Strata Cloud Manager)
This feature is available for new Prisma Access deployments only.
|
- Prisma Access version 5.2.1
- PAN-OS dataplane version 11.2.4 includes Activity Insights,
User Group, and Location Group support.
- GlobalProtect™ version 6.1.4
This is a Limited Availability release.
To activate this functionality, reach out to your Palo Alto
Networks account representative after activating the
tenant.
|
Some legacy networks use IP address-based authorization to restrict users’ access to
internal or external resources. A Prisma Access Mobile Users—GlobalProtect
deployment assigns users an IP address from the mobile users IP address pool you
assign during onboarding, and this user-to-IP address mapping can change in
subsequent logins. To retain user-to-IP address mapping, Prisma Access lets you
assign static IP addresses to users. With this feature, Prisma Access allows you
to allocate IP addresses to users based on the User or User-group, along with
Theatre and Location groups.
You can only enable the Static IP address Allocation feature
immediately after the activation of a new Prisma Access tenant. After you enable
this feature and activate the tenant, the feature is set for the life of the tenant,
and you can't disable it.
To create an IP Pool Profile, use one or more of these criteria:
- A Theater—Allocate IP addresses based on the theater your users are
in. For example, you can create a /30 subnet for a specific theater. These
IP addresses are static for that theater. You can apply access to resources
based on theater by creating Security policy rules using the IP addresses
you specify for that theater.
- A User—Allocate IP addresses based on a User-ID by configuring a /30
or /32 address in the mobile user IP address
pool, and using match criteria to associate that user with an IP
address. In this way, you assign a static IP address that Prisma Access
retains for a specific user, enabling you to keep your current IP
address-based Security policy rules to control a user's access to resources.
- A User Group—Allocate IP addresses based on the user group. The user
will get the IP address from the defined IP Pool subnet if they are part of
the configured user group.
- A Location Group —Allocate IP addresses based on the location group
defined in the IP Pool profile.
Use the following guidelines when allocating static IP addresses:
- If you specify multiple IP pools, Prisma Access evaluates the rules from top
to bottom and assigns IP addresses based on the first match in the list of
rules.
- Integrate your Prisma Access deployment with the Cloud Identity Engine if you want to
use User-ID or User-Group as criteria to match IP pools.
- The following maximum allocations are supported per tenant:
- 20,000 users
- 5,000 user groups with 50,000 users per user group
- 10,000 IP address pool profiles
- 10,000 IP address pools
- Enter a prefix length between /23 and /32.
- For each Mobile User Client IP Pool profile you
create:
- Up To 10 IP prefixes are supported.
- Up to 256 users are supported.
- Static IP addressing uses a Lease Period and a
Grace Period to specify how long Prisma Access
keeps a user-to-IP address association.
- The Lease Period is the amount of time the
user-to-IP address mapping is valid after you allocate it.
The
default lease period is 86400 seconds (24 hours).
The minimum
lease period is 3600 seconds (1 hour).
The maximum lease
period is 7776000 seconds (90 days).
- The Grace Period is the amount of time that,
after a lease period expires, Prisma Access retains that user-to-IP
address mapping without assigning it to another user.
The default
grace period is 14400 seconds (4 hours).
The minimum grace
period is 60 seconds.
The maximum grace period is 7776000
seconds (90 days).
