Plan For IP Address Changes for Mobile Users, Remote Networks, and Service Connections

If you know when IP addresses change, you can pro-actively plan your infrastructure and whitelist the required IP addresses accordingly. The IP address changes can be the result of changes you made (for example, adding another mobile users location) or changes that GlobalProtect cloud service performs automatically (for example, a large number of mobile users accesses a single GlobalProtect cloud gateway).
The following sections describe how IP addresses can change:

IP Address Allocation For Mobile Users

GlobalProtect cloud service adds two sets of public IP addresses for each cloud portal and gateway when you deploy GlobalProtect cloud service for the first time: one set that is in active use and another set that is reserved for future use. Since the public IP address is the source IP address used by GlobalProtect cloud service for requests made to an internet-based source, you need to know what the public IP address are and whitelist them to provide your users access to resources such as SaaS applications or publicly-accessible partner applications.
The public IP addresses can change, and GlobalProtect cloud service can put the reserved public IP address sets into active use, if the following events occur:
  • A large number of mobile users access a location in the same region.
    When a scaling event occurs, GlobalProtect cloud service adds one or more cloud gateways to accommodate the increased number of users, assigns one or more of the reserved public IP addresses to the new gateways and makes them active, and adds a new set of reserved IP addresses to the mobile user locations to replace the ones that were used.
  • You add one or more locations to your deployment.
    When you add more locations, GlobalProtect cloud service adds another cloud gateway and a new set of active and reserved IP addresses for each new location you add.
  • GlobalProtect cloud service upgrades its infrastructure, usually in conjunction with a new software release and an upgrade to the Cloud Services plugin.
    GlobalProtect cloud service makes the reserved public IP addresses active, and makes the active public IP addresses reserved.
Because GlobalProtect cloud service adds more public IP addresses when you add a gateway, and can add more public IP addresses after a scaling event, you should get your API key and add an IP Change Event Notification URL, or use the API command, to be notified of IP address changes in your GlobalProtect cloud service infrastructure. You can then whitelist any added or changed addresses that the notification specifies.

Public IP Address Scaling Examples for Mobile Users

The following examples illustrate the mobile user public IP address allocation process that GlobalProtect cloud service uses during a scaling event or when you add a new location.
In the following example, you specified two locations n the Asia Pacific region for a new mobile user deployment: Sydney and Seoul. Each location has an active and reserved set of public IP addresses. GlobalProtect cloud service reserves four sets of IP addresses for the gateways: two active and two reserved.
mobile-user-scaling-event-before.png
Then a large number of users log in to the Seoul location. To accommodate these extra users, GlobalProtect cloud service adds a second cloud gateway for the Seoul location and takes the reserved address from the first Seoul gateway (51.1.1.4) and makes this the active IP address for the second Seoul gateway. It then adds two additional IP addresses (51.1.1.5 and 51.1.1.6 in this example) to use as reserved IP addresses for the two Seoul gateways.
mobile-user-scaling-event-after.png
Then you add another location, Tokyo, in the Asia Pacific region. The GlobalProtect cloud service creates two new IP addresses for the new gateway (51.1.1.7 and 51.1.1.8).
mobile-user-scaling-event-after-gateway-addition.png
Each time you add a location or have a scaling event, you should retrieve the new public IP addresses that GlobalProtect cloud service assigned and whitelist them in your network. GlobalProtect cloud service keeps two sets of IP addresses at all times for all active gateways in each location.

Public IP Address Reassignment Example After an Infrastructure Upgrade

When GlobalProtect cloud service upgrades its infrastructure, usually to prepare for a software upgrade for the Cloud Services plugin, it changes the public IP addresses from active to reserved and vice versa. The following example illustrates the process.
Subscribe to text or email notices for upcoming scheduled infrastructure upgrades at status.paloaltonetworks.com.
The following graphic shows a sample deployment with three GlobalProtect cloud service portals, three locations (Sydney, Tokyo, and Seoul), and an active and reserved public IP address for each portal and location.
mobile-user-infra-upgrade-before.png
After an infrastructure upgrade, GlobalProtect cloud service reverses the public IP addresses for each portal and location. In this example, the Sydney location’s active public IP address changes from 51.1.1.1 to 51.1.1.2 and its reserved public IP address changes from 51.1.1.2 to 51.1.1.1. Whitelisting both the active and reserved public IP addresses ensures that users can still access the cloud portals and gateways after an infrastructure upgrade.
mobile-user-infra-upgrade-after.png

IP Address Allocation For Remote Network Connections

The IP addresses for the remote network connections are static, and only change in the following cases:
  • When a system administrator creates a new remote network connection using the Panorama appliance.
    The GlobalProtect cloud services adds a Service IP Address for the new remote network connection. This is also known as the public_ip address if you retrieve the IP addresses for the GlobalProtect cloud service using an API or automated script. When you configure the GlobalProtect cloud service for remote networks, you use these IP addresses as the peer IP address to set up the IPSec tunnel between the remote network location and the GlobalProtect cloud service for remote networks.
    The GlobalProtect cloud service always assigns an entirely new IP address for the new connection; if you delete a remote connection, GlobalProtect cloud service might use that address for a newly-deployed gateway, but will never use that gateway for a new remote or service connection.
  • When a change to network bandwidth in a region causes the total bandwidth to exceed 300 Mbps.
    While you can onboard remote networks in increments of 2 Mbps, 5 Mbps, 10 Mbps, 20 Mbps, 25 Mbps, 50 Mbps, 100 Mbps, 150 Mbps, 300 Mbps, 500 Mbps, or 1000 Mbps, the maximum bandwidth available for a single service IP address is 300 Mbps. If the total bandwidth of all remote network connections in a region is 300 Mbps or less, the GlobalProtect cloud service assigns a single service IP address. If the bandwidth exceeds 300 Mbps, the GlobalProtect cloud service provisions an additional service IP address.
    The following example shows three remote network connections in the same region, each with a bandwidth of 100 Mbps. Since the total bandwidth is 300 Mbps, the GlobalProtect cloud service assigns a single IP address for all connections in the region.
    service-ip-address-before.png
  • The following example shows the bandwidth of remote network connection A being increased from 100 Mbps to 150 Mbps. Since the total bandwidth of all connections is now more than 300 Mbps, the GlobalProtect cloud service assigns a new service IP address for the connection with the additional bandwidth. The other service IP addresses remain unchanged.
    service-ip-address-after.png
    To find the service IP addresses in Panorama, select PanoramaCloud ServicesStatusNetwork Details tab and click the Remote Networks radio button to display the Service IP Address for the remote networks. To retrieve the IP addresses for the GlobalProtect cloud service using an API command or an automated script, specify an addrType of public_ip and a fwType of gpcs_remote_network.

Loopback IP Address Allocation for Mobile Users

Loopback IP addresses can change during for mobile users during an infrastructure upgrade.
Loopback IP addresses do not change for service connections or remote network connections during an infrastructure upgrade; only mobile user loopback IP addresses can change.
GlobalProtect cloud service allocates the loopback IP addresses from the infrastructure subnet that you specify when you enable the GlobalProtect cloud service infrastructure. You can whitelist the entire infrastructure subnet and avoid planning for mobile user loopback IP changes during an infrastructure upgrade. To find the infrastructure subnet, select PanoramaCloud ServicesStatusNetwork DetailsService Infrastructure and view the Infrastructure Subnet.
Retrieve these addresses using the API command used to retrieve public IP and loopback IP addresses.
The following example shows a GlobalProtect cloud service deployment that has an infrastructure subnet of 172.16.0.0/16. GlobalProtect has assigned loopback IP addresses 172.16.0.1 and 192.16.0.3 for mobile users from the infrastructure subnet.
service-connection-loopback-ips-before.png
After in infrastructure upgrade (for example, to prepare for a new release of the Cloud Services plugin), GlobalProtect cloud service assigns two different IP addresses for mobile users from the infrastructure subnet (172.16.0.1 is changed to 172.16.0.2 and 172.16.0.3 is changed to 172.16.0.4).
service-connection-loopback-ips-after.png

Related Documentation