Retrieve the IP Addresses for Prisma Access
Focus
Focus

Retrieve the IP Addresses for Prisma Access

Table of Contents

Retrieve the IP Addresses for Prisma Access

Find the Prisma Access IP addresses that you need to add to your organization’s allow lists.
If you are manually adding IP addresses of your Prisma Access infrastructure to an allow list in your network, or if you are using an automation script to enforce IP-based restrictions to limit inbound access to enterprise applications, you should understand what these addresses do and why you need to allow them, as well as the tasks you perform to retrieve them.
While you do not perform these tasks until after you complete your Prisma Access configuration, it is useful to understand these concepts in advance, so you understand what to do after your deployment is complete.
To learn about events that cause Prisma Access IP addresses to change and to plan for those changes, see Plan for IP Address Changes for Mobile Users, Remote Networks, and Service Connections.

Prisma Access Infrastructure IP Addresses

If you are manually adding IP addresses of your Prisma Access infrastructure to an allow list in your network, or if you are using an automation script to enforce IP-based restrictions to limit inbound access to enterprise applications, you should understand what these addresses do and why you need to allow them, as well as the tasks you perform to retrieve them.
Prisma Access does not provision these IP addresses until after you complete your Prisma Access configuration. After your deployment is complete, you retrieve these IP addresses using an API script. The API script uses an API key that you obtain from the Prisma Access UI and a .txt file you create which specifies the addresses you want to retrieve.
The following table provides you with a list of the IP address that Prisma Access uses for each deployment type, along with the keyword you use when you run the API script to retrieve the IP addresses, and describes whether or not you should add them to your organization’s allow lists.
Deployment Type
IP Address Type
Description
Mobile Users—GlobalProtect
Prisma Access gateway (
gp_gateway
)
Gateway IP addresses. You must add both gateway and portal IP addresses to allow lists for your mobile user deployments.
Mobile users connect to a Prisma Access gateway to access internal or internet resources, such as SaaS or public applications, for which you have provided access.
For mobile users, during initial deployment, Prisma Access assigns two IP addresses for each location you deploy.
Prisma Access portal (
gp_portal
)
Portal IP addresses. You must add both gateway and portal IP addresses to allow lists for your mobile user deployments.
Mobile users log in to the Prisma Access portal to receive their initial configuration and gateway location.
Loopback IP addresses
The source IP address used by Prisma Access for requests made to an internal source, and is assigned from the infrastructure subnet. Add the loopback IP address to an allow list in your network to give Prisma Access access to internal resources such as RADIUS or Active Directory authentication servers.
Palo Alto Networks recommends that you allow all the IP addresses of the entire infrastructure subnet in your network, because loopback IP addresses can change. To find the infrastructure subnet, select
Panorama
Cloud Services
Status
Network Details
Service Infrastructure
. The subnet displays in the
Infrastructure Subnet
area.
To retrieve loopback IP addresses, use the legacy API script.
Mobile Users—Explicit Proxy
Authentication Cache Service (ACS)
The address for the Prisma Access service that stores the authentication state of the explicit proxy users.
This address is only used for explicit proxy for mobile users.
Network Load Balancer
The address that Prisma Access uses for the explicit proxy network load balancer.
This address is only used for explicit proxy for mobile users.
Remote Network
Remote Network IP addresses (
remote_network
)
The
Service IP Addresses
that Prisma Access assigns for the Prisma Access remote network connection, and egress IP addresses that Prisma Access uses to make sure that remote network users get the correct default language for their region. Add these addresses to allow lists in your network to give Prisma Access access to internet resources.
Loopback IP addresses
The source IP address used by Prisma Access for requests made to an internal source, and is assigned from the infrastructure subnet. Add the loopback IP address to an allow list to give Prisma Access access to internal resources such as RADIUS or Active Directory authentication servers. To retrieve loopback IP addresses, use the legacy API script.
Clean Pipe
Clean Pipe IP Addresses (
clean_pipe
)
Add these IP addresses to an allow list to give the Clean Pipe service access to internet resources.
Loopback IP addresses
The source IP address used by Prisma Access for requests made to an internal source, and is assigned from the infrastructure subnet. Add the loopback IP address to an allow list to give Prisma Access access to internal resources such as RADIUS or Active Directory authentication servers. To retrieve loopback IP addresses, use the legacy API script.

Run the API Script Used to Retrieve IP Addresses

Prisma Access provides an API script that you can use to retrieve public and private IP addresses it uses in its infrastructure. If you need to add public IP addresses to allow lists in your organization’s network, use the following steps to retrieve these IP addresses with the API script.
This command does not retrieve loopback addresses; to retrieve loopback IP addresses, use the legacy API.
  1. Get the API key.
    You need this key to authenticate to Prisma Access and retrieve the list of IP addresses using the API command. Only a Panorama administrator or Superuser can generate or access this API key.
    1. Select
      Panorama
      Cloud Services
      Configuration
      Service Setup
      .
    2. Select
      Generate API Key
      .
      If you have already generated an API key, the
      Current Key
      displays. If you haven’t yet generated a key or want to replace the existing key to meet audit or compliance check for key rotation, click
      Generate New API Key
      for a new key.
  2. Create a .txt file and put the API command options in the file.
    Using the API the command to use is a two-step process. First, you create a .txt file, specifying the parameters for the IP addresses to retrieve, and save the file in a folder that is reachable from the location where you run the command. Then, you run the API and specify the name and location of the .txt file you created in the command.
    Specify the following keywords and arguments in the .txt file. See API Command Examples for examples. The examples in this document use a file name of
    options.txt
    but you can specify any file name, as long as you reference it in the command.
    Argument
    Possible choices (keywords)
    Comments
    serviceType
    all
    remote_network
    gp_gateway
    gp_portal
    clean_pipe
    swg_proxy
    all
    —Retrieves IP addresses you need to add to an allow list for all service types (Remote Networks, Mobile Users (both gateways and portals), and Clean Pipe, as applicable to your deployment).
    remote_network
    —Retrieves IP addresses you need to add to an allow list for remote network deployments.
    gp_gateway
    —Retrieves the Mobile Users—GlobalProtect gateway IP addresses you need to add to an allow list for mobile user deployments.
    gp_portal
    —Retrieves the Mobile Users—GlobalProtect portal IP addresses you need to add to an allow list for mobile user deployments.
    clean_pipe
    —Retrieves the IP addresses you need to add to an allow list for clean pipe deployments.
    swg_proxy
    —Retrieves the Mobile Users—Explicit Proxy IP addresses for the authentication cache service (ACS) and the network load balancers (relevant for explicit proxy deployments only).
    addrType
    all
    active
    service_ip
    auth_cache_service
    network_load_balancer
    all
    or
    active
    —Retrieves all the IP addresses you need to add to an allow list.
    This API does not retrieve loopback IP addresses. To retrieve loopback IP addresses, use the legacy API.
    service_ip
    —Retrieves the
    Service IP Address
    , which you use as the peer IP address when you set up the IPSec tunnel for the remote network connection.
    auth_cache_service
    —Retrieves the IP address for the explicit proxy ACS (applicable to Explicit Proxy deployments only).
    network_load_balancer
    —Retrieves the IP address for the explicit proxy network load balancer (applicable to Explicit Proxy deployments only).
    actionType
    pre_allocate
    Mobile User deployments only
    —An
    actionType
    of
    pre_allocate
    allows you to retrieve IP addresses or subnets for Prisma Access gateways and portals for mobile user deployments. Use this with a
    serviceType
    of
    gp_gateway
    to retrieve pre-allocated gateway IP addresses and a
    serviceType
    of
    gp_portal
    to retrieve pre-allocated portal IP addresses.
    Retrieving the pre-allocated IP addresses lets you add the gateway and portal IP addresses to your organization’s allow lists before you onboard mobile user locations, which in turn gives mobile users access to external SaaS apps immediately after you onboard the locations. See Pre-Allocate IP Addresses for Mobile User Locations for details.
    location
    all
    deployed
    all
    —Retrieves the IP addresses from all locations. For mobile user deployments, this keyword retrieves the IP addresses for both locations you added during onboarding, and locations you did not add.
    deployed
    —Retrieves IP addresses in all locations that you added during mobile user onboarding.
    This keyword is applicable to mobile user deployments only. Prisma Access associates IP addresses for every mobile user location during provisioning, even if you didn’t select that location during mobile user onboarding. If you specify
    all
    , the API command retrieves the IP addresses for all mobile user locations, including ones you didn’t select for the deployment. If you specify
    deployed
    , the API command retrieves only the IP addresses for the locations you selected during onboarding.
    Specify the options in the .txt file in the following format:
    { "serviceType": "
    service-type
    ", "addrType": "
    address-type
    ", "location": "
    location
    " }
  3. Enter one of the following commands to retrieve the IP addresses.
    • To use the API that was introduced in Prisma Access 2.1, enter the following command:
      curl -X POST --data @
      option.txt
      -H header-api-key:
      Current-API-Key
      "https://api.prod.datapath.prismaaccess.com/getPrismaAccessIP/v2"
    • To use the legacy API, enter the following command. This command uses a legacy API endpoint that will be deprecated in May 2022:
      curl -X POST --data @
      option.txt
      -k -H header-api-key:
      Current-API-Key
      "https://api.gpcloudservice.com/getPrismaAccessIP/v2"
    Where
    option.txt
    is the .txt file you created in Step 2 and
    Current-API-Key
    is the Prisma Access API key.
    For example, given a .txt file name of
    option.txt
    and an API key of
    12345abcde
    , use the following API command to retrieve the public IP address for all locations:
    curl -X POST --data @option.txt -H header-api-key:12345abcde "https://api.prod.datapath.prismaaccess.com/getPrismaAccessIP/v2"
    The API command can return a large amount of information. To make the output more readable, if you have Python installed, you can add
    | python -m json.tool
    at the end of the CURL command.
    The API command returns the addresses in the following format:
    { "result": [ { "address_details": [ { "address": "1.2.3.4" "allow_listed": false "addressType": "
    address-type
    " "serviceType": "
    service-type
    " } ], "addresses": [ "1.2.3.4" ] "zone": "
    zone-name
    ", "zone_subnet": [
    zone-subnet
    ] }, "status": "success"
    Where:
    • address_details
      shows the details of the address for each location.
      • serviceType
        shows the type of IP address (either remote network (
        remote_network
        ), Prisma Access gateway (
        gp_gateway
        ), Prisma Access portal (
        gp_portal
        ), or Clean Pipe (
        clean_pipe
        ).
      • addressType
        specifies the type of address specified with the
        addrType
        keyword (either
        all
        ,
        active
        , , or
        pre-allocated
        if you are Pre-Allocate IP Addresses for Mobile User Locations).
      • address
        shows the IP address you need to add to your allow lists.
        If the API returns multiple IP addresses, Prisma Access summarizes the IP addresses in the
        addresses
        field.
    • addresses
      lists all the IP addresses for the location that you need to add to your allow lists.
    • zone
      is the Prisma Access location associated with the IP addresses.
    • zone_subnet
      is the subnet for mobile user gateways and portals. Prisma Access also provides this subnet if you Pre-Allocate IP Addresses for Mobile User Locations.
    If there are any problems with the options in the .txt file, the API returns an error similar to the following:
    {"status": "error","result": "Invalid json format in the request. trace_id: xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx "}
  4. Update the allow lists on your on-premises servers or SaaS application policy rules with the IP addresses you retrieved.

API Command Examples

Use the following examples when entering keywords and arguments in the .txt file for the API command to retrieve Prisma Access infrastructure IP addresses. To change the output of the command, change the options in the .txt file; the command itself does not change.
Retrieve These IP Addresses
Specify These Parameters in the .txt File
Comments
Mobile User IP Addresses
All mobile user IP Addresses
{ "serviceType": "gp_gateway", "addrType": "all", "location": "all" }
An
addrType
of
all
means that Prisma Access retrieves all IP addresses for the locations you selected during mobile user onboarding.
A
location
of
all
means that Prisma Access retrieves IP addresses for all available locations, including ones that you have not onboarded. Prisma Access reserves non-onboarded location IP addresses so that you can add these IP addresses to your allow lists before you onboard them.
IP addresses for onboarded mobile user locations
{ "serviceType": "gp_gateway", "addrType": "all", "location": "deployed" }
Or
{ "serviceType": "gp_gateway", "addrType": "active", "location": "deployed" }
A
location
type of
deployed
means that Prisma Access retrieves only the IP addresses for the locations that you selected during mobile user onboarding.
Use either an
addrType
of
all
or
active
to retrieve these gateway IP addresses.
Remote Network IP Addresses
Retrieve all remote network IP addresses
{ "serviceType": "remote_network", "addrType": "all", "location": "all" }
This command retrieves the public and egress IP addresses of remote networks you have onboarded. Do not use a
location
of
deployed
. You can use an
addrType
of
active
but it retrieves the same addresses as if you specified an
addrType
of
all
.
Clean Pipe IP Addresses
Retrieve all clean pipe IP addresses
{ "serviceType": "clean_pipe", "addrType": "all", "location": "all" }
This command retrieves the public and egress IP addresses of clean pipes you have onboarded. Do not use a
location
of
deployed
. You can use an
addrType
of
active
but it retrieves the same addresses as if you specified an
addrType
of
all
.
Explicit Proxy IP Addresses
Retrieve the ACS IP addresses for deployed locations
{ "serviceType": "swg_proxy", "location": "deployed", "addrType": "auth_cache_service" }
This command retrieves the ACS IP address for your explicit proxy deployment. Entering an
addrType
of
all
retrieves all address types (the ACS and the network load balancer IP addresses).

Pre-Allocate IP Addresses for Mobile User Locations

Prisma Access uses gateway and portal IP addresses for Mobile Users—GlobalProtect deployments, and authentication cache service (ACS) and network load balancer IP addresses for Mobile Users—Explicit Proxy deployments. Mobile Users—GlobalProtect IP addresses are known as
egress IP addresses
. If you need to pre-allocate mobile user IP addresses before you onboard the location (for example, if your organization needs to add the IP addresses for Mobile Users—GlobalProtect deployments to allow lists to give mobile users access to external SaaS applications), you can run an API script to have Prisma Access pre-allocate these IP addresses for a location ahead of time, before you onboard it. You can then add the location’s egress IP addresses to your organization’s allow lists before onboarding the location.
The API response also includes the public IP subnets for the egress IP addresses for the requested location. The egress IP addresses of any locations you add are a part of this subnet. Adding the subnets to your allow lists provides for future location additions without further allow list modification.
Prisma Access does not pre-allocate your IP addresses and subnets unless you request them using the API script. After you run the pre-allocation script, they have a validity period of 90 days. The IP addresses that Palo Alto Networks provides you are unique, not shared, and dedicated to your Prisma Access deployment during the validity period. You must onboard your locations before the validity period ends or you lose the addresses; to find the validity period at any time, run the API script.
Palo Alto Networks recommends that you only pre-allocate IP addresses for locations that you want to onboard later.
To pre-allocate IP addresses, complete the following task.
  1. Retrieve the Prisma Access API key.
  2. Pre-allocate the mobile user egress IP addresses by creating a .txt file and specifying the following options in the .txt file you create.
    Enter the following text in the .txt file:
    • Mobile Users—GlobalProtect Deployments:
      { "actionType": "pre_allocate", "serviceType": "gp_gateway", "location": ["
      location
      "] }
    • Mobile Users—Explicit Proxy Deployments:
      { "actionType": "pre_allocate", "serviceType": "swg_proxy", "location": ["
      location
      "]}
    Where
    location
    is the Prisma Access location or locations where you want to pre-allocate the IP addresses. If you enter multiple locations, use brackets around the set of locations and separate each location entry with quotes, a comma, and a space (for example, [
    "location1", "location2", "location3"
    ], and so on).
    Enter a maximum of 12 locations. Entering more than 12 locations might cause timeout errors when Prisma Access retrieves the pre-allocated IP addresses.
  3. Enter the CURL command as shown in Step 3 in Run the API Script Used to Retrieve IP Addresses.
  4. Retrieve the IP addresses and subnets you requested, including their validity period, by re-opening the .txt file, removing the existing information, and editing it.
    • Mobile Users—GlobalProtect Deployments:
      • To request Prisma Access to retrieve all pre-allocated IP addresses, enter the following text in the .txt file.
        { "serviceType": "all", "addrType": "pre_allocated", "location": "all" }
      • To request Prisma Access to retrieve all pre-allocated IP addresses for Prisma Access gateways for a given location, enter the same information in the .txt file but substitute
        all
        with
        gp_gateway
        in the .txt file.
      • To request Prisma Access to retrieve all pre-allocated IP addresses for Prisma Access portals for a given location, enter the same information in the .txt file but substitute
        all
        with
        gp_portal
        in the .txt file.
    • Mobile Users—Explicit Proxy Deployments:
      To request that Prisma Access pre-allocate all IP addresses you need to add to allow lists for an explicit proxy deployment, enter the following text in the .txt file.
      { "actionType": "pre_allocate", "serviceType": "swg_proxy", "location": ["all"] }
    Palo Alto Networks recommends that you enter
    all
    so you can retrieve all required pre-allocated egress IP addresses to add to your allow lists.
    For Mobile Users—GlobalProtect deployments, while Prisma Access returns up to four addresses for each location (two gateway IP addresses and, if required, two portal IP addresses), the API command can return a large amount of information. To make the output more readable, if you have Python installed, you can add
    | python -m json.tool
    at the end of the CURL command.
  5. Re-enter the CURL command as shown in Step 3 in Run the API Script Used to Retrieve IP Addresses to retrieve the pre-allocated addresses.
    Prisma Access returns the information in the following format:
    "result": [ { "zone": "
    prisma-access-zone1
    ", "addresses": [ ["
    ip-address1
    ","
    ip-address2
    "] "zone_subnet" : [
    subnet-and-mask1
    ","
    subnet-and-mask2
    "] "address_details":[ {"address":"
    ip-address1
    ", "service_type":"
    service-type
    ", "addressType":"pre-allocated", "expiring_in" : "
    validity-period
    " }, {"address":"
    ip-address2
    ", "service_type":"gp_gateway", "addressType":"pre-allocated", "validity_period_remaining" : "90 days" } , },
    Where the variables represent the following API command output:
    Variable
    Explanation
    prisma-access-zone1
    The Prisma Access location for which pre-allocated IP addresses were retrieved.
    ip-address1
    and
    ip-address2
    The egress IP addresses that Prisma Access has pre-allocated for the specified location.
    Prisma Access retrieves two IP addresses for each location; you must add both of these IP addresses to your allow lists.
    subnet-and-mask1
    and
    subnet-and-mask2
    The subnets that Prisma Access has pre-allocated and reserved for the egress IP addresses in your deployment.
    service-type
    The type of the pre-allocated egress IP address (either
    gp_portal
    for a Prisma Access portal or
    gp_gateway
    for a Prisma Access gateway).
    validity-period
    The remaining time, in days, for which the pre-allocated IP address is valid.
    You must onboard your mobile user location before the IP addresses’ validity period ends. If the pre-allocated IP addresses expire, you can rerun the API script to retrieve another set of pre-allocated IP addresses.
    You could receive an error if you attempt to pre-allocate IP addresses for locations that meet one of the following criteria:
    • You have already onboarded the location.
    • You onboarded, then deleted the location.
      In this case, enter the following text in the .txt file to retrieve the Mobile Users—GlobalProtect IP addresses for the location:
      { "serviceType": "gp_gateway", "addrType": "all", "location": "all" }
    • You have reached the maximum number of mobile user locations allowed by your license and cannot add any more locations.
    • You entered the location name incorrectly.
    • You entered a
      serviceType
      other than
      gp_gateway
      .
    • you entered an
      actionType
      other than
      pre_allocate
      .

Be Notified of Changes to IP Addresses

To be notified of public IP address changes for remote networks and loopback IP address changes for service connections, remote network connections, and mobile users, you can to specify a URL at which you can be alerted of a change. Prisma Access uses an HTTP POST request to send the notification. This POST request includes the following notification data in JSON format:
{"addrType": "public_ip", "addrChangeType": "add", "utc_timestamp": "2019-01-31 23:08:19.383894", "text": "Address List Change Notification"}
{"addrType": "public_ip", "addrChangeType": "delete", "utc_timestamp": "2019-01-31 23:13:35.882151", "text": "Address List Change Notification"}
{"addrType": "loopback_ip", "addrChangeType": "update", "utc_timestamp": "2019-01-31 23:29:27.100329", "text": "2018-05-11 23:29:27.100329"}
When you receive a notification, you must follow a two-step process. First, you must manually or programatically retrieve the IP or loopback addresses. Then, you must update the IP addresses in your organization’s appropriate allow list to ensure that users do not experience any disruption in service.
Prisma Access sends this notification a few seconds before the new IP address becomes active. We recommend that you use automation scripts to both retrieve and add the new IP addresses to an allow list in your network.
To add an IP notification URL, complete the following task.
  1. Select
    Panorama
    Cloud Services
    Configuration
    Service Setup
    .
  2. Add an
    IP Change Event Notification URL
    where you can be notified of IP address changes in your Prisma Access infrastructure.
    You can specify an IP address or an FQDN to an HTTP or HTTPS web service that is listening for change notifications. Prisma Access sends these notifications from the internet using a public IP address.
    You do not need to commit your changes for the notification URL to take effect.

Legacy Scripts Used to Retrieve IP and Loopback Addresses

The commands described in this section are superseded by a newer API script as of Prisma Access 1.5; however, they are still supported when you need to obtain the loopback address, or for deployments that use them in scripts or other automated tools.
The following table shows the keywords and parameters that are available in the legacy API scripts used with Prisma Access, and provides information and recommendations about which API to use for the type of deployment you have.
These legacy commands also retrieve
public IP
and
egress IP
addresses; however, Palo Alto Networks recommends that you use the newer API script to retrieve these commands and only use the legacy API to retrieve the loopback IP addresses.
  • A
    public IP address
    is the source IP address that Prisma Access uses for requests made to an internet-based source. Add the public IP address to an allow list in your network to give Prisma Access access to internet resources such as SaaS applications or publicly accessible partner applications.
    Mobile user, remote network, and clean pipe deployments use public IP addresses.
  • An
    egress IP address
    is an IP address that Prisma Access uses for egress traffic to the internet, and you must also add these addresses to an allow list to give Prisma Access access to internet resources.
    Among other purposes, Prisma Access uses egress IP addresses so that users receive web pages in the language they expect from a Prisma Access location. All locations have public IP addresses; however, not all locations have egress IP addresses. The following locations do not use egress IP addresses:
    • Any locations that you added before the release of Prisma Access 1.4.
    • Bahrain
    • Belgium
    • France North
    • France South
    • Hong Kong
    • Ireland
    • South Korea
    • Taiwan
    • United Kingdom
    Mobile user, remote network, and clean pipe deployments use egress IP addresses.
Commands Used in Mobile User Deployments
Command Name
Comments
get_egress_ip_all=yes
command
curl -H header-api-key:
Current-API-Key
"https://api.prod.datapath.prismaaccess.com/getAddrList/latest?get_egress_ip_all=yes
This command retrieves all the IP addresses that you add to an allow list to give Prisma Access access to internet resources such as SaaS applications or publicly accessible partner applications. This command has the following constraints:
  • This command can retrieve a large number of addresses (more than 200). If your enterprise cannot add this number of IP addresses to an allow list, you can use the
    gpcs_gp_gw
    and
    gpcs_gp_portal
    keywords to retrieve only the IP addresses you are currently using; however you will have to rerun these commands every time you add a location. In addition, if an autoscale event occurs, you will need to the new IP addresses to an allow list.
  • Prisma Access does not list the locations that are associated with these IP addresses; therefore, we recommend that you all the IP addresses that are returned with this command to an allow list.
  • This command does not give you loopback addresses.
gpcs_gp_gw
and
gpcs_gp_portal
keywords
curl -H header-api-key:
Current-API-Key
"https://api.prod.datapath.prismaaccess.com/getAddrList/latest?fwType=
gpcs_gp_gw
|
gpcs_gp_portal
&addrType=
public_ip
|
egress_ip_list
|
loopback_ip
"
Use this command if your deployment limits the amount of IP addresses you can add to an allow list. You must add all IP addresses returned with this command to an allow list in your network. You can also retrieve the loopback IP addresses with this command.
Commands Used In Remote Network Deployments
Command Name
Comments
gpcs_remote_network
keyword
curl -H header-api-key:
Current-API-Key
"https://api.prod.datapath.prismaaccess.com/getAddrList/latest?fwType=
gpcs_remote_network
&addrType=
public_ip
|
egress_ip_list
|
loopback_ip
"
Use this command to find the IP addresses that you need to add to an allow list for remote network deployments.
You can also use this command to find the egress IP addresses for remote network deployments; the egress and IP addresses can be different in some situations.
Commands Used in Clean Pipe Deployments
Command Name
Comments
gpcs_clean_pipe
keyword
curl -H header-api-key:
Current-API-Key
"https://api.prod.datapath.prismaaccess.com/getAddrList/latest?fwType=
gpcs_clean_pipe
&addrType=
public_ip
|
egress_ip_list
|
loopback_ip
"
Use this command to find the IP addresses that you need to add to an allow list for clean pipe deployments.

Retrieve Public and Egress IP Addresses for Mobile User Deployments

This legacy script has been superseded by a by a newer API script as of Prisma Access 1.5. Palo Alto Networks recommends that you use the newer script to retrieve all IP addresses with the exception of loopback addresses.
If you are adding public IP addresses to allow lists to give mobile users access to SaaS or public applications, Prisma Access provides two IP addresses for each gateway and portal IP address so that one IP address can be used during a scaling or other event. You can add this set of IP addresses to an allow list before they are used, preventing any issues with mobile users being able to access SaaS or public applications during a scaling event.
Retrieve these new addresses by completing the following task:
  1. Get the API key by selecting
    Panorama
    Cloud Services
    Configuration
    Service Setup
    ; then, selecting
    Generate API Key
    .
    You need this key to authenticate to Prisma Access and retrieve the list of IP addresses using the curl command listed below. Only a Panorama administrator or Superuser can generate or access this API key.
  2. Enter the following command to retrieve the mobile user public IP addresses:
    curl -H header-api-key:
    Current-API-Key
    "https://api.prod.datapath.prismaaccess.com/getAddrList/latest?get_egress_ip_all=yes"
    Where
    Current-API-Key
    is the Prisma Access API key.
    For example, given an API key of
    12345abcde
    , use the following API command to retrieve the public IP address for all locations:
    curl -H header-api-key:12345abcde "https://api.prod.datapath.prismaaccess.com/getAddrList/latest?get_egress_ip_all=yes"
    Every time Prisma Access uses one set of public IP addresses, it allocates another set of IP addresses. If you think that Prisma Access has used the added set of public IP addresses (for example, if a large number of mobile users have accessed a single location), you can run this API command again to find the new set of public IP addresses. All IP addresses persist after an upgrade.

Retrieve Public, Loopback, and Egress IP Addresses

To retrieve public, loopback, and egress IP addresses, complete the following steps.
  1. Get the API key and add an
    IP Change Event Notification URL
    where you can be notified of IP address changes in your Prisma Access infrastructure.
  2. Retrieve the public IP addresses, loopback IP addresses, or both for Prisma Access.
    Use the API key and the API endpoint URL either manually or in an automation script:
    header-api-key:
    Current API Key
    "https://api.prod.datapath.prismaaccess.com/getAddrList/latest?fwType=
    $fwType
    &addrType=
    $addrType
    "
    where you need to replace Current API Key with your API key and use one or both of the following keywords and arguments:
    Keyword
    Description
    fwType
    keyword
    gpcs_gp_gw
    Retrieves Prisma Access gateway IP addresses (for mobile user deployments).
    gpcs_gp_portal
    Retrieves Prisma Access portal IP addresses (for mobile user deployments).
    gpcs_remote_network
    Retrieves Prisma Access remote network IP addresses (for remote network deployments).
    gpcs_clean_pipe
    Retrieves Prisma Access Clean Pipe IP addresses.
    addrType
    keyword
    public_ip
    Retrieves the source IP addresses that Prisma Access uses for requests made to an internet-based source.
    For mobile user locations, Prisma Access lists the IP addresses by location. For remote networks, Prisma Access lists the IP addresses by remote network name.
    egress_ip_list
    Retrieves the IP addresses that Prisma Access uses with public IP addresses for additional egress traffic to the internet.
    For mobile user locations, Prisma Access lists the IP addresses by location. For remote networks, Prisma Access lists the IP addresses by remote network name.
    loopback_ip
    Retrieves the source IP addresses used by Prisma Access for requests made to an internal source (for example, a RADIUS or Active Directory server), and is assigned from the infrastructure subnet.
    If you don’t specify a keyword, Prisma Access retrieves all IP addresses.
    For example, you can try the following Curl command to manually retrieve the list of public IP addresses for all remote networks:
    curl -H header-api-key:1234y9ydxb__0UmxetVTbC8XTyFMaoT4RBZBKBjfX419YVufeFG7 "https://api.prod.datapath.prismaaccess.com/getAddrList/latest?fwType=gpcs_remote_network&addrType=public_ip"
    or use a simple python script to retrieve the list of all IP addresses, for example:
    #!/usr/bin/python import subprocess import json api_key = '1234y9ydxb__0UmxetVTbC8XTyFMaoT4RBZBKBjfX419YVufeFG7' # Replace with your key api_end_point = 'https://api.prod.datapath.prismaaccess.com/getAddrList/latest' # This call retrieves IP addresses for all your Prisma Access firewalls args = ['curl', '-k', '-H', 'header-api-key:' + api_key, api_end_point] p = subprocess.Popen(args, stdout=subprocess.PIPE) output = p.communicate() dout = json.loads(output[0]) addrStrList = dout['result']['addrList'] addrList = [] for addr_str in addrStrList: addrList.append(addr_str.split(":")[1]) print(addrList)
  3. Update the allow lists on your on-premises servers or SaaS application policy rules with the IP addresses you retrieved.

Recommended For You