Pre-Allocate IP Addresses for Prisma Access Mobile User Locations
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
5.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
- Activate and Edit a License for SASE 5G Through Common Services
-
- Prisma Access Onboarding Workflow
-
3.2 Preferred and Innovation
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
- Prisma Access
- Prisma Access Infrastructure Management
- Cadence for Software and Content Updates for Prisma Access
- Use the Prisma Access App to Get Upgrade Alerts and Updates
- View Prisma Access Software Versions
-
- Determine Your Prisma Access License Type from Panorama
- Cheat Sheet: Integrate ADEM with Panorama Managed Prisma Access
- Cheat Sheet: Integrate IoT Security with Panorama Managed Prisma Access
- Cheat Sheet: Enterprise DLP on Panorama Managed Prisma Access
- Visibility and Monitoring Features in the Prisma Access App
- Monitor Your Prisma Access Data Transfer Usage
- Zone Mapping
- Prisma Access APIs
- Prisma Access Deployment Progress and Status
- Troubleshoot the Prisma Access Deployment
-
- Prisma Access Mobile User Deployments
- How the GlobalProtect App Selects a Prisma Access Location for Mobile Users
- Integrate Prisma Access with On-Premises Gateways
-
- Set Equal Gateway Priorities for On-Premises and Prisma Access Gateways
- Set a Higher Gateway Priority for an On-Premises Gateway
- Set Higher Priorities for Multiple On-Premises Gateways
- Configure Priorities for Prisma Access and On-Premises Gateways
- Allow Mobile Users to Manually Select Specific Prisma Access Gateways
- Report Prisma Access Website Access Issues
-
- Multitenancy Overview
- Multitenancy Configuration Overview
- Plan Your Multitenant Deployment
- Create an All-New Multitenant Deployment
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Sort Logs by Device Group ID in a Multitenant Deployment
-
-
-
- Default Routes With Prisma Access Traffic Steering
- Traffic Steering in Prisma Access
- Traffic Steering Requirements
- Default Routes with Traffic Steering Example
- Default Routes with Traffic Steering Direct to Internet Example
- Default Routes with Traffic Steering and Dedicated Service Connection Example
- Prisma Access Traffic Steering Rule Guidelines
- Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
- Configure Traffic Steering in Prisma Access
-
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
- Integrate Third-Party NDRs with Prisma Access
- Juniper Mist Integration for SASE Health
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
Pre-Allocate IP Addresses for Prisma Access Mobile User Locations
Learn how to pre-allocate IP addresses so you can add
them to your allow lists.
Prisma Access uses gateway and portal IP addresses
for Mobile Users—GlobalProtect deployments, and authentication cache
service (ACS) and network load balancer IP addresses for Mobile Users—Explicit
Proxy deployments. Mobile Users—GlobalProtect IP addresses are known
as egress IP addresses. If you need to pre-allocate
mobile user IP addresses before you onboard the location (for example,
if your organization needs to add the IP addresses for Mobile Users—GlobalProtect
deployments to allow lists to give mobile users access to external
SaaS applications), you can run an API script to
have Prisma Access pre-allocate these IP addresses for a location
ahead of time, before you onboard it. You can then add the location’s
egress IP addresses to your organization’s allow lists before onboarding
the location.
The API response also includes the public IP
subnets for the egress IP addresses for the requested location. The
egress IP addresses of any locations you add are a part of this
subnet. Adding the subnets to your allow lists provides for future
location additions without further allow list modification.
Prisma
Access does not pre-allocate your IP addresses and subnets unless
you request them using the API script. After you run the pre-allocation
script, they have a validity period of 90 days. The IP addresses
that Palo Alto Networks provides you are unique, not shared, and
dedicated to your Prisma Access deployment during the validity period.
You must onboard your locations before the validity period ends
or you lose the addresses; to find the validity period at any time,
run the API script.
Palo Alto Networks recommends that
you only pre-allocate IP addresses for locations that you want to
onboard later.
To pre-allocate IP addresses, complete
the following task.
- Retrieve the Prisma Access API key.
- Pre-allocate the mobile user egress IP addresses by creating a .txt file and specifying the following options in the .txt file you create.Enter the following text in the .txt file:
- Mobile Users—GlobalProtect Deployments:
{ "actionType": "pre_allocate", "serviceType": "gp_gateway", "location": ["location"] } - Mobile Users—Explicit Proxy Deployments:
{ "actionType": "pre_allocate", "serviceType": "swg_proxy", "location": ["location"]}
Where location is the Prisma Access location or locations where you want to pre-allocate the IP addresses. If you enter multiple locations, use brackets around the set of locations and separate each location entry with quotes, a comma, and a space (for example, ["location1", "location2", "location3"], and so on).Enter a maximum of 12 locations. Entering more than 12 locations might cause timeout errors when Prisma Access retrieves the pre-allocated IP addresses. - Enter the CURL command as shown in Step 3 in Run the API Script Used to Retrieve Prisma Access IP Addresses.
- Retrieve the IP addresses and subnets you requested, including their validity period, by re-opening the .txt file, removing the existing information, and editing it.
- Mobile Users—GlobalProtect Deployments:
- To retrieve all pre-allocated IP addresses, enter the following text in the .txt file.
{ "serviceType": "all", "addrType": "pre_allocated", "location": "all" } - To retrieve all pre-allocated IP addresses for Prisma Access portals for a given location, enter the same information in the .txt file but substitute “all” with “gp_portal” in the .txt file.
- Mobile Users—Explicit Proxy Deployments:To pre-allocate all IP addresses you need to add to allow lists for an explicit proxy deployment, enter the following text in the .txt file.
{ "actionType": "pre_allocate", "serviceType": "swg_proxy", "location": ["all"] }
Palo Alto Networks recommends that you enter all so you can retrieve all required pre-allocated egress IP addresses to add to your allow lists.For Mobile Users—GlobalProtect deployments, while Prisma Access returns up to four addresses for each location (two gateway IP addresses and, if required, two portal IP addresses), the API command can return a large amount of information. To make the output more readable, if you have Python installed, you can add | python -m json.tool at the end of the CURL command. - Re-enter the CURL command as shown in Step 3 in Run the API Script Used to Retrieve Prisma Access IP Addresses to retrieve the pre-allocated addresses.Prisma Access returns the information in the following format:
"result": [ { "zone": "prisma-access-zone1", "addresses": [ ["ip-address1","ip-address2"] "zone_subnet" : [subnet-and-mask1","subnet-and-mask2"] "address_details":[ {"address":"ip-address1", "service_type":"service-type", "addressType":"pre-allocated", "expiring_in" : "validity-period" }, {"address":"ip-address2", "service_type":"gp_gateway", "addressType":"pre-allocated", "validity_period_remaining" : "90 days" } , },Where the variables represent the following API command output:Variable Explanation prisma-access-zone1 The Prisma Access location for which pre-allocated IP addresses were retrieved.ip-address1 and ip-address2 The egress IP addresses that Prisma Access has pre-allocated for the specified location.Prisma Access retrieves two IP addresses for each location; you must add both of these IP addresses to your allow lists.subnet-and-mask1 and subnet-and-mask2 The subnets that Prisma Access has pre-allocated and reserved for the egress IP addresses in your deployment.service-type The type of the pre-allocated egress IP address (either gp_portal for a Prisma Access portal or gp_gateway for a Prisma Access gateway).validity-period The remaining time, in days, for which the pre-allocated IP address is valid.You must onboard your mobile user location before the IP addresses’ validity period ends. If the pre-allocated IP addresses expire, you can rerun the API script to retrieve another set of pre-allocated IP addresses.You could receive an error if you attempt to pre-allocate IP addresses for locations that meet one of the following criteria:- You have already onboarded the location.
- You onboarded, then deleted the location.In this case, enter the following text in the .txt file to retrieve the Mobile Users—GlobalProtect IP addresses for the location:
{ "serviceType": "gp_gateway", "addrType": "all", "location": "all" } - You have reached the maximum number of mobile user locations allowed by your license and cannot add any more locations.
- You entered the location name incorrectly.
- You entered a serviceType other than gp_gateway.
- you entered an actionType other than pre_allocate.