Mobile Users: IP Address Allocation
Focus
Focus
Prisma Access

Mobile Users: IP Address Allocation

Table of Contents

Mobile Users: IP Address Allocation

Learn about how Prisma Access allocated IP addresses for mobile user deployments.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access license
After you set up your Prisma Access deployment, it is useful to know when IP addresses change so that you can pro-actively plan your infrastructure, retrieve the IP addresses, and add the required IP addresses to allow lists accordingly. The IP address changes can be the result of changes you made (for example, adding another mobile users location) or changes that Prisma Access performs automatically (for example, a large number of mobile users accesses a single Prisma Access gateway).
After you deploy Prisma Access for users for the first time, Prisma Access assigns two public and, if applicable, egress IP addresses for each portal and gateway. The public IP addresses are unique and not shared with any other Prisma Access deployment. If an IP address allocated to you by Palo Alto Networks remains unused for six months, it will be reclaimed. This includes IP addresses that were activated and then deactivated, and have remained deactivated for six months. For instance, if public IP addresses were allocated to your tenant for a specific location and that location was not enabled for six months, Prisma Access may reclaim those IP addresses. Similarly, if you onboarded and then deboarded a mobile user location, Palo Alto Networks can reclaim the IP address used for that location six months after deboarding.
If you have a multitenant setup, Prisma Access adds dedicated IP addresses for each tenant.
Since the public IP address is the source IP address used by Prisma Access for requests made to an internet-based destination, you may need to know what the public IP address are and add them to an allow list in your network to provide your users access to resources such as SaaS applications or publicly-accessible partner applications.
New public IP addresses can be added to the tenant if the following events occur:
  • A large number of mobile users access a location in the same location.
    To address the capacity requirement to service large number of users, Prisma Access may add one or more gateways, Prisma Access adds one or more gateways to accommodate the increased number of users, assigns one or more of the existing public IP addresses to the new gateway, and adds a new set of IP addresses to the mobile user locations to replace the ones that were used.
  • You add one or more locations to your deployment.
    When you add more locations, Prisma Access adds another gateway and a new set of IP addresses for each new location you add.
Because Prisma Access enables more public IP addresses after a scaling event and after you add a location, you should add an IP change event notification URL, or use the API to retrieve mobile user addresses, to be notified of IP address changes in your Prisma Access infrastructure. You can then add any added or changed addresses to an allow list.