Prisma Access Administration
  • Prisma Access Administration
  • Prisma Access Documentation
  • All Documentation
>
Retrieve the IP Addresses for Prisma Access (Panorama)
Focus
Download PDF
Focus
  1. Home
  2. Prisma Access
  3. Prisma Access Administration
  4. Prisma Access Setup
  5. Retrieve the IP Addresses for Prisma Access
  6. Retrieve the IP Addresses for Prisma Access (Panorama)
Download PDF
Prisma Access

Retrieve the IP Addresses for Prisma Access (Panorama)

Table of Contents

Retrieve the IP Addresses for Prisma Access (Panorama)

Learn about the infrastructure IP addresses that are used with Prisma Access and how to retrieve them using the API command.
If you are manually adding IP addresses of your Prisma Access infrastructure to an allow list in your network, or if you are using an automation script to enforce IP-based restrictions to limit inbound access to enterprise applications, you should understand what these addresses do and why you need to allow them, as well as the tasks you perform to retrieve them.
Prisma Access does not provision these IP addresses until after you complete your Prisma Access configuration. After your deployment is complete, you retrieve these IP addresses using an API script. The API script uses an API key that you obtain from the Prisma Access UI and a .txt file you create which specifies the addresses you want to retrieve.
If you have a Mobile Users—GlobalProtect deployment, you can use the Prisma Access UI instead of this API to manage public IP address allocation and confirm that the IP addresses have been added to your allow lists before Prisma Access releases the IP addresses. In this way, Prisma Access only provisions the IP addresses that you have allow listed.
The following table provides you with a list of the IP address that Prisma Access uses for each deployment type, along with the keyword you use when you run the API script to retrieve the IP addresses, and describes whether or not you should add them to your organization’s allow lists.
Deployment TypeIP Address TypeDescription
Mobile Users—GlobalProtect Prisma Access gateway (gp_gateway)
Gateway IP addresses. You must add both gateway and portal IP addresses to allow lists for your mobile user deployments.
Mobile users connect to a Prisma Access gateway to access internal or internet resources, such as SaaS or public applications, for which you have provided access.
For mobile users, during initial deployment, Prisma Access assigns two IP addresses for each location you deploy.
Prisma Access portal (gp_portal)
Portal IP addresses. You must add both gateway and portal IP addresses to allow lists for your mobile user deployments.
Mobile users log in to the Prisma Access portal to receive their initial configuration and gateway location.
Network Load Balancer (network_load_balancer)
Ingress IP addresses (IP Optimization deployments only).
Loopback IP addresses
The source IP address used by Prisma Access for requests made to an internal source, and is assigned from the Configure the Prisma Access Service Infrastructure (Panorama). Add the loopback IP address to an allow list in your network to give Prisma Access to internal resources such as RADIUS or Active Directory authentication servers.
Palo Alto Networks recommends that you allow all the IP addresses of the entire infrastructure subnet in your network, because loopback IP addresses can change. To find the infrastructure subnet, select PanoramaCloud ServicesStatusNetwork DetailsService Infrastructure. The subnet displays in the Infrastructure Subnet area.
To retrieve loopback IP addresses, use the legacy API script.
Mobile Users—Explicit Proxy
Authentication Cache Service (ACS)
The address for the Prisma Access service that stores the authentication state of the explicit proxy users.
This address is only used for explicit proxy for mobile users.
Network Load Balancer
The address that Prisma Access uses for the network load balancer.
Remote NetworkRemote Network IP addresses (remote_network)
The Service IP Addresses that Prisma Access assigns for the Prisma Access remote network connection, and Remote Networks: Service IP Address and Egress IP Address Allocation that Prisma Access uses to make sure that remote network users get the correct default language for their region. Add these addresses to allow lists in your network to give Prisma Access to internet resources.
Loopback IP addresses
The source IP address used by Prisma Access for requests made to an internal source, and is assigned from the Configure the Prisma Access Service Infrastructure (Panorama). Add the loopback IP address to an allow list to give Prisma Access to internal resources such as RADIUS or Active Directory authentication servers. To retrieve loopback IP addresses, use the legacy API script.
Clean Pipe
Clean Pipe IP Addresses (clean_pipe)
Add these IP addresses to an allow list to give the Clean Pipe service access to internet resources.
Loopback IP addresses
The source IP address used by Prisma Access for requests made to an internal source, and is assigned from the Configure the Prisma Access Service Infrastructure (Panorama). Add the loopback IP address to an allow list to give Prisma Access to internal resources such as RADIUS or Active Directory authentication servers. To retrieve loopback IP addresses, use the legacy API script.

Run the API Script Used to Retrieve Prisma Access IP Addresses

Use the API script described here to retrieve the IP addresses that are required for your deployment.
Prisma Access provides an API script that you can use to retrieve the public and private IP addresses it uses in its infrastructure. If you need to add public IP addresses to allow lists in your organization’s network, use the following steps to retrieve these IP addresses with the API script.
This command does not retrieve loopback addresses; to retrieve loopback IP addresses, use the legacy API.
  1. Get the API key.
    You need this key to authenticate to Prisma Access and retrieve the list of IP addresses using the API command. Only a Panorama administrator or Superuser can generate or access this API key.
    1. Select PanoramaCloud ServicesConfigurationService Setup.
    2. Select Generate API Key.
      If you have already generated an API key, the Current Key displays. If you haven’t yet generated a key or want to replace the existing key to meet audit or compliance check for key rotation, click Generate New API Key for a new key.
  2. Create a .txt file and put the API command options in the file.
    Using the API the command to use is a two-step process. First, you create a .txt file, specifying the parameters for the IP addresses to retrieve, and save the file in a folder that is reachable from the location where you run the command. Then, you run the API and specify the name and location of the .txt file you created in the command.
    Specify the following keywords and arguments in the .txt file. See API Examples for Retrieving Prisma Access IP Addresses for examples. The examples in this document use a file name of option.txt but you can specify any file name, as long as you reference it in the command.
    Argument Possible choices (keywords)Comments
    serviceType
    all
    remote_network
    gp_gateway
    gp_portal
    clean_pipe
    swg_proxy
    rbi
    all—Retrieves IP addresses you need to add to an allow list for all service types (Remote Networks, Mobile Users (both gateways and portals), and Clean Pipe, as applicable to your deployment).
    remote_network—Retrieves IP addresses you need to add to an allow list for remote network deployments.
    gp_gateway—Retrieves the Mobile Users—GlobalProtect gateway IP addresses you need to add to an allow list for mobile user deployments.
    gp_portal —Retrieves the Mobile Users—GlobalProtect portal IP addresses you need to add to an allow list for mobile user deployments.
    clean_pipe—Retrieves the IP addresses you need to add to an allow list for clean pipe deployments.
    swg_proxy—Retrieves the egress IP addresses for each deployed Explicit Proxy location and the authentication cache service (ACS).
    rbi—Retrieves the egress IP addresses you need to add to an allow list for Remote Browser Isolation (RBI) deployments to connect to SaaS Applications.
    addrType
    all
    active
    service_ip
    auth_cache_service
    network_load_balancer
    all or active—Retrieves all the IP addresses you need to add to an allow list.
    This API does not retrieve loopback IP addresses. To retrieve loopback IP addresses, use the legacy API.
    service_ip—Retrieves the Service IP Address, which you use as the peer IP address when you set up the IPSec tunnel for the remote network connection.
    auth_cache_service—Retrieves the IP address for the explicit proxy ACS (applicable to Explicit Proxy deployments only).
    network_load_balancer—Retrieves the IP addresses for the network load balancer (applicable to Mobile Users—GlobalProtect with IP Optimization enabled and Mobile Users—Explicit Proxy deployments).
    If you have implemented IP Optimization (available with Prisma Access 5.0 and later), be sure you review the allow listing considerations and how to implement the gp_gateway and network_load_balancer IP addresses in your Mobile Users—GlobalProtect deployment.
    actionType
    pre_allocate
    Mobile User deployments only—An actionType of pre_allocate allows you to retrieve IP addresses or subnets for Prisma Access gateways and portals for mobile user deployments. Use this with a serviceType of gp_gateway to retrieve pre-allocated gateway IP addresses and a serviceType of gp_portal to retrieve pre-allocated portal IP addresses.
    Retrieving the pre-allocated IP addresses lets you add the gateway and portal IP addresses to your organization’s allow lists before you onboard mobile user locations, which in turn gives mobile users access to external SaaS apps immediately after you onboard the locations.
    location
    all
    deployed
    all—Retrieves the IP addresses from all locations. For mobile user deployments, this keyword retrieves the IP addresses for both locations you added during onboarding, and locations you did not add.
    deployed—Retrieves IP addresses in all locations that you added during mobile user onboarding.
    This keyword is applicable to mobile user deployments only. Prisma Access associates IP addresses for every mobile user location during provisioning, even if you didn’t select that location during mobile user onboarding. If you specify all, the API command retrieves the IP addresses for all mobile user locations, including ones you didn’t select for the deployment. If you specify deployed, the API command retrieves only the IP addresses for the locations you selected during onboarding.
    Specify the options in the .txt file in the following format:
      {
   "serviceType": "service-type",   
   "addrType": "address-type",
   "location": "location"
   }
  3. Enter the following command to retrieve the IP addresses:
    • To use the newer API that was introduced in Prisma Access 2.1, enter the following command:
        curl -X POST --data @option.txt -H header-api-key:Current-API-Key "https://api.prod.datapath.prismaaccess.com/getPrismaAccessIP/v2"
      As of May 2023, some Panorama managed deployments use https://api.prod6.datapath.prismaaccess.com/getPrismaAccessIP/v2 (note the prod6 in the URL instead of prod).
    • To use the legacy API, enter the following command. This command uses a legacy API endpoint that will be deprecated in May 2022:
        curl -X POST --data @option.txt -k -H header-api-key:Current-API-Key "https://api.gpcloudservice.com/getPrismaAccessIP/v2"
    Where option.txt is the .txt file you created in a previous step and Current-API-Key is the Prisma Access API key.
    For example, given a .txt filename of option.txt and an API key of 12345abcde, use the following API command to retrieve the public IP address for all locations:
      curl -X POST --data @option.txt -H header-api-key:12345abcde "https://api.prod.datapath.prismaaccess.com/getPrismaAccessIP/v2"
    The API command can return a large amount of information. To make the output more readable, if you have Python installed, you can add | python -m json.tool at the end of the cURL command.
    The API command returns the addresses in the following format: 
     {
   "result": [        
    {            
     "address_details": [
      {
        "address": "1.2.3.4"    
        "allow_listed": false
        "addressType": "address-type"
        "serviceType": "service-type"
         }
       ],
        "addresses": [
          "1.2.3.4"
        ]
        "zone": "zone-name",
      "zone_subnet": [zone-subnet
]
},
  "status": "success"
    Where:
    • address_details shows the details of the address for each location.
      • serviceType shows the type of IP address (either remote network (remote_network), Prisma Access gateway (gp_gateway), Prisma Access portal (gp_portal), Clean Pipe (clean_pipe), or Remote Browser Isolation (rbi).
      • addressType specifies the type of address specified with the addrType keyword (either active or pre-allocated if you're preallocating IP addresses for mobile user locations).
      • address shows the IP address you need to add to your allow lists.
        If the API returns multiple IP addresses, Prisma Access summarizes the IP addresses in the addresses field.
    • addresses lists all the IP addresses for the location that you need to add to your allow lists.
    • zone is the Prisma Access location associated with the IP addresses.
    • zone_subnet is the subnet for mobile user gateways and portals. Prisma Access also provides this subnet if you're preallocating IP addresses for mobile user locations.
    If there are any problems with the options in the .txt file, the API returns an error similar to the following: 
      {"status": "error","result": "Invalid json format in the request. trace_id: xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx "}
  4. Update the allow lists on your on-premises servers or SaaS application policy rules with the IP addresses you retrieved.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.