Static IP Address Allocation for Mobile Users—GlobalProtect Deployments
Focus
Focus
Prisma Access

Static IP Address Allocation for Mobile Users—GlobalProtect Deployments

Table of Contents

Static IP Address Allocation for Mobile Users—GlobalProtect Deployments

Learn about the benefits of using a static IP address for mobile users in a Mobile Users—GlobalProtect deployment.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access 5.1 Innovation
  • Minimum GlobalProtect version of 6.1.4
To enable this functionality, reach out to your Palo Alto Networks account representative or partner.
Some legacy networks use IP address-based authorization to restrict users’ access to internal or external resources. A Prisma Access Mobile Users—GlobalProtect deployment assigns users an IP address from the mobile users IP address pool you assign during onboarding, and this user-to-IP address mapping can change in subsequent logins. To retain user-to-IP address mapping, Prisma Access allows you to assign static IP addresses to users.
To create an IP mapping, first create an IP address pool, and then associate it with:
  • A Theater—Allocate IP addresses based on the theater your users are in. For example, you can create a /30 subnet for a specific theater. These IP addresses are static for that theater. You can apply access to resources based on theater by creating security policy rules using the IP addresses you specify for that theater.
  • A User—Configure a /32 address in the mobile user IP address pool, and use match criteria to associate that user with an IP address. In this way, you assign a static IP address that Prisma Access retains for a specific user, allowing you to keep your current IP address-based security policy rules to control a user's access to resources.
Use the following guidelines when allocating static IP addresses:
  • If you specify multiple IP pools, Prisma Access evaluates the rules from top to bottom and assigns IP addresses based on the first match in the list of rules. For example, given a user in Europe who logs in to GlobalProtect, Prisma Access evaluates the processing rules. If the user does not match the Any (Worldwide) rule with the /32 subnet, Prisma Access assigns the user an IP address from one of the /24 subnets specified in the Africa, Europe & Middle East IP address pool.
  • You must integrate your Prisma Access deployment with the Cloud Identity Engine.
  • Up to 7,000 IP address pool profiles are supported per tenant.
  • The supported prefix length is between /24 and /32.
  • For each Mobile User Client IP Pool profile you create:
    • Up To 10 IP prefixes are supported.
    • Up to 256 users are supported.
  • Static IP addressing uses a Lease Period and a Grace Period to specify how long Prisma Access keeps a user-to-IP address association.
    • The Lease Period is the amount of time the user-to-IP address mapping is valid after you allocate it.
      The default lease period is 86400 seconds (one day).
      The minimum lease period is 3600 seconds (one hour).
      The maximum lease period is 7776000 seconds (90 days).
    • The Grace Period is the amount of time that, after a lease period expires, Prisma Access retains that user-to-IP address mapping without assigning it to another user.
      The default grace period is 14400 seconds (4 hours).
      The minimum grace period is 60 seconds.
      The maximum grace period is 7776000 seconds (90 days).

Configure Static IP Address Allocation

To configure static IP address allocation in a deployment, complete these steps.
  1. Go to WorkflowsPrisma Access SetupGlobalProtect and click the gear to highlight the Infrastructure Settings.
  2. Add a Client IP Pool for the static IP addresses.
  3. (Optional) Assign a static IP address to a user.
    1. Give the IP address pool a unique Name.
    2. Select Any of the Theatres to give a user access to all Prisma Access theaters; or to restrict a single user to a specific theater, Select the theater from the drop-down.
    3. Select a user from the list of Users.
    4. In the IP Pools area, enter a pool with a prefix of /32.
      This is the IP address that Prisma Access assigns to the user.
    5. (Optional) Enter a Lease Period and a Grace Period for the user-to-IP address mapping.
    6. Save your changes.
  4. (Optional) Create an IP address pool based on a theater and, optionally, users.
    You can create these types of IP address and user-based pools:
    • Enter a theater and don't specify a user. In this case, Prisma Access provides an IP address to any GlobalProtect user who logs in to that theater.
    • Enter a theater of Any (Worldwide) and enter specific users to match the IP address pool you specify. In this case, Prisma Access provides an IP address to any user who matches the users in the list.
    • Enter a specific theater and enter specific users to match the IP address pool you specify. In this case, Prisma Access provides an IP address to any user who logs in from that theater and matches the users in the list.
    1. Give the IP address pool a unique Name.
    2. Select the theater to which you want to restrict access, or select Any (Worldwide) to match users from all theaters.
    3. (Optional) Select one or more users from the list of Users.
    4. Add one or more IP Pools with a prefix between /24 and /32.
      These are the addresses that Prisma Access assigns to the user and theater. Since a /32 would provide only one IP address, we recommend a minimum subnet of /30.
    5. If you assigned one or more users to the IP Address pool, assign a Lease Period and a Grace Period for the user-to-IP address mapping.
      Enter the time in seconds. The Lease Period is the amount of time the user-to-IP address mapping is valid after you allocate it.
      • The default lease period is 86400 seconds (one day).
      • The minimum lease period is 3600 seconds (one hour).
      • The maximum lease period is 7776000 seconds (90 days).
      The Grace Period is the amount of time that, after a lease period expires, Prisma Access retains that address without assigning it to another user.
        • The default grace period is 14400 seconds (4 hours).
        • The minimum grace period is 60 seconds.
        • The maximum grace period is 7776000 seconds (90 days).
    6. Save your changes and Push the configuration changes.
  5. Verify your changes by going to GlobalProtectSettings on the client machine, viewing the Tunnel Statistics, and verifying the Assigned IP Address(es).