>
    Add a New Compute Location for a Deployed Prisma Access Location
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Advanced Deployments
    4. Add a New Compute Location for a Deployed Prisma Access Location
    Download PDF
    Prisma Access

    Add a New Compute Location for a Deployed Prisma Access Location

    Table of Contents

    Add a New Compute Location for a Deployed
    Prisma Access
     Location

    Learn about how IP addresses change and how to use a new compute location for an existing location.
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Panorama)
    • Prisma Access
       license
    To optimize performance and improve latency, Prisma Access can introduce new compute locations for locations you have already deployed as part of a plugin upgrade. When you upgrade the plugin, the existing compute location-to-location mapping does not change, but you can choose to take advantage of the new compute location. If you change the compute location,
    Prisma Access
     changes the gateway and portal IP addresses (for mobile users) and Service IP addresses (for remote networks) for the location or locations to which the new compute location is associated. If you use allow lists in your network to provide users access to internet resources such as SaaS applications or publicly accessible partner applications, you need to add these new IP addresses to your allow lists.
    To upgrade to a new compute location after it becomes available, complete the following task.
    Since you need to allow time to delete and add the existing location and change your allow lists (for mobile users) or peer IPSec tunnel IP address (for remote network deployments), Palo Alto Networks recommends that you schedule a compute location change during a maintenance window or during off-peak hours.
    To reduce down time for mobile user deployments, use the API to pre-allocate the new mobile user gateway and portal IP addresses before you perform these steps.
    1. Add bandwidth for the new remote network compute locations.
      1. (
        Remote Network deployments that allocate remote network bandwidth by compute locations only
        ) Select
        Panorama
        Cloud Services
        Configuration
        Remote Networks
        .
      2. Click the gear icon in the
        Bandwidth Allocation
         area and add
        Bandwidth Allocation (Mbps)
         for the new compute location.
      3. Wait for the bandwidth to be reflected in the Allocated Total field at the top of the page; then, click
        OK
        .
    2. (
      Mobile User deployments only
      ) Retrieve the new gateway and portal IP addresses using the API script and add them to your allow lists.
    3. Delete the Service Connection, Remote Network connection, or Mobile User location associated with the new compute location.
    4. Commit and push your changes.
    5. Re-add the locations you just deleted.
    6. Commit and push your changes.
    7. (
      Remote Network and Service Connection deployments only
      ) Change your CPE to point to the new IP addresses for the IPSec tunnel for the remote network connection or service connection.
      For remote network connections, select
      Panorama
      Cloud Services
      Status
      Network Details
      Remote Networks
      , make a note of the
      Service IP Address
      , and configure the new Service IP Address as the peer address for the remote network IPSec tunnel on your CPE.
      For service connections, select
      Panorama
      Cloud Services
      Status
      Network Details
      Service Connection
      , make a note of the
      Service IP Address
      , and configure the new Service IP Address as the peer address for the service connection IPSec tunnel on your CPE.
    8. Select
      Panorama
      Cloud Services
      Status
      Network Details
      Remote Networks
      , make a note of the
      Service IP Address
      , and configure the new
      Service IP Address
       as the peer address for the remote network IPSec tunnel on your CPE.
      When you delete and re-add a remote network connection, the IP address of the IPSec tunnel on the
      Prisma Access
       side changes.
    9. (
      Mobile User Deployments Only
      ) After a location is remapped, retrieve the new Gateway FQDN and add it to your SAML provider's authentication configuration.
      If a mobile users location is remapped, the gateway FQDN might change after the infrastructure upgrade that causes the remapping, which could cause issues with SAML authentication. To find the gateway name:
      • In
        Prisma Access (Managed by Strata Cloud Manager)
        , select
        Settings
        Prisma Access
         Setup
        GlobalProtect Setup
        Infrastructure Settings
        , click the gear to view the Infrastructure Settings, and copy the renamed gateway in the Gateway FQDNs area.
        If you're using Strata Cloud Manager, select
        Workflows
        Prisma Access
         Setup
        GlobalProtect
        GlobalProtect Setup
        Infrastructure
        Infrastructure Settings
        , click the gear to view the Infrastructure Settings, and copy the renamed gateway in the Gateway FQDNs area.
      • In
        Prisma Access (Managed by Panorama)
        , select
        Panorama
        Cloud Services
        Status
        Network Details
        Mobile Users—GlobalProtect
         and copy the renamed gateway in the Gateways area.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.