Prisma Access
Add a New Compute Location for a Deployed Prisma Access Location
Table of Contents
Add a New Compute Location for a Deployed Prisma Access Location
Learn about how IP addresses change and how to use a
new compute location for an existing location.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
To optimize performance and improve latency, Prisma Access can introduce new compute locations for
locations you have already deployed as part of a plugin upgrade. When you upgrade
the plugin, the existing compute location-to-location mapping does not change, but
you can choose to take advantage of the new compute location. If you change the
compute location, Prisma Access changes the gateway and portal IP addresses (for
mobile users) and service IP
addresses
(for remote networks) for the location or locations to which the new compute
location is associated. If you use allow lists in your network to provide users
access to internet resources such as SaaS applications or publicly accessible
partner applications, you need to add these new IP addresses to your allow lists.
To
upgrade to a new compute location after it becomes available, complete
the following task.
Since you need to allow time to delete
and add the existing location and change your allow lists (for mobile
users) or peer IPSec tunnel IP address (for remote network deployments),
Palo Alto Networks recommends that you schedule a compute location change
during a maintenance window or during off-peak hours.
To reduce down time for mobile user deployments, use the API to pre-allocate the new mobile user
gateway and portal IP addresses before you perform these steps.
- Add bandwidth for the new remote network compute locations.
- (Remote Network deployments that allocate remote network bandwidth by compute locations only) Select .Click the gear icon in the Bandwidth Allocation area and add Bandwidth Allocation (Mbps) for the new compute location.Wait for the bandwidth to be reflected in the Allocated Total field at the top of the page; then, click OK.(Mobile User deployments only) Retrieve the new gateway and portal IP addresses using the API script and add them to your allow lists.Delete the Service Connection, Remote Network connection, or Mobile User location associated with the new compute location.Commit and push your changes.Re-add the locations you just deleted.Commit and push your changes.(Remote Network and Service Connection deployments only) Change your CPE to point to the new IP addresses for the IPSec tunnel for the remote network connection or service connection.For remote network connections, select , make a note of the Service IP Address, and configure the new Service IP Address as the peer address for the remote network IPSec tunnel on your CPE.For service connections, select , make a note of the Service IP Address, and configure the new Service IP Address as the peer IP address for the service connection IPSec tunnel on your CPE.Select , make a note of the Service IP Address, and configure the new Service IP Address as the peer address for the remote network IPSec tunnel on your CPE.When you delete and re-add a remote network connection, the IP address of the IPSec tunnel on the Prisma Access side changes.(Mobile User Deployments Only) After a location is remapped, retrieve the new Gateway FQDN and add it to your SAML provider's authentication configuration.If a mobile users location is remapped, the gateway FQDN might change after the infrastructure upgrade that causes the remapping, which could cause issues with SAML authentication. To find the gateway name:
- In Prisma Access (Managed by Strata Cloud Manager), select , click the gear to view the Infrastructure Settings, and
copy the renamed gateway in the Gateway FQDNs area.If you're using Strata Cloud Manager, select , click the gear to view the Infrastructure Settings, and copy the renamed gateway in the Gateway FQDNs area.
- In Prisma Access (Managed by Panorama), select and copy the renamed gateway in the Gateways area.
