>
    Static IP Address Allocation for Mobile Users—GlobalProtect Deployments
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Mobile Users
    5. Mobile Users: GlobalProtect
    6. IP Address Pools for a GlobalProtect Mobile Users Deployment
    7. Static IP Address Allocation for Mobile Users—GlobalProtect Deployments
    Download PDF
    Prisma Access

    Static IP Address Allocation for Mobile Users—GlobalProtect Deployments

    Table of Contents

    Static IP Address Allocation for Mobile Users—GlobalProtect Deployments

    Learn about the benefits of using a static IP address for mobile users in a Mobile Users—GlobalProtect deployment.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access version 5.2.1
    • PAN-OS dataplane version of 11.2.4
      Includes Activity Insights support
    • GlobalProtect version of 6.1.4
    This is a Limited Availability release. To activate this functionality, reach out to your Palo Alto Networks account representative after activating the tenant.
    Some legacy networks use IP address-based authorization to restrict users’ access to internal or external resources. A Prisma Access Mobile Users—GlobalProtect deployment assigns users an IP address from the mobile users IP address pool you assign during onboarding, and this user-to-IP address mapping can change in subsequent logins. To retain user-to-IP address mapping, Prisma Access allows you to assign static IP addresses to users.
    This functionality is available for new Prisma Access deployments only.
    To create an IP Pool Profile, use one or more of these criteria:
    • A Theater—Allocate IP addresses based on the theater your users are in. For example, you can create a /30 subnet for a specific theater. These IP addresses are static for that theater. You can apply access to resources based on theater by creating Security policy rules using the IP addresses you specify for that theater.
    • A User—Allocate IP addresses based on a User-ID by configuring a /30 or /32 address in the mobile user IP address pool, and using match criteria to associate that user with an IP address. In this way, you assign a static IP address that Prisma Access retains for a specific user, allowing you to keep your current IP address-based Security policy rules to control a user's access to resources.
    Use the following guidelines when allocating static IP addresses:
    • If you specify multiple IP pools, Prisma Access evaluates the rules from top to bottom and assigns IP addresses based on the first match in the list of rules.
    • Integrate your Prisma Access deployment with the Cloud Identity Engine if you want to use User-ID or User-Group as criteria to match IP pools.
    • The following maximum allocations are supported per tenant:
      • 20,000 users
      • 5,000 user groups with 50,000 users per user group
      • 10,000 IP address pool profiles
      • 10,000 IP address pools
    • Enter a prefix length between /23 and /32.
    • For each Mobile User Client IP Pool profile you create:
      • Up To 10 IP prefixes are supported.
      • Up to 256 users are supported.
    • Static IP addressing uses a Lease Period and a Grace Period to specify how long Prisma Access keeps a user-to-IP address association.
      • The Lease Period is the amount of time the user-to-IP address mapping is valid after you allocate it.
        The default lease period is 86400 seconds (24 hours).
        The minimum lease period is 3600 seconds (1 hour).
        The maximum lease period is 7776000 seconds (90 days).
      • The Grace Period is the amount of time that, after a lease period expires, Prisma Access retains that user-to-IP address mapping without assigning it to another user.
        The default grace period is 14400 seconds (4 hours).
        The minimum grace period is 60 seconds.
        The maximum grace period is 7776000 seconds (90 days).

    Configure Static IP Address Allocation

    To configure a static IP address allocation in a deployment, complete these steps.
    1. Go to WorkflowsPrisma Access SetupGlobalProtect and click the gear to highlight the Infrastructure Settings.
    2. In the Client IP Pool area, Add IP Pool for the static IP addresses.
    3. Assign a static IP address to a theater Prisma Access or user.
      1. Give the IP address pool a unique Name.
      2. Select one or more of the Theatres to allow the pool to be used in those theaters, or select Any to allow the pool to be used in all theaters.
      3. Select a user, or select Any to allow the pool to be used for any user.
        • To assign one or more users to an IP address pool, select the user in the Users tab.
      4. In the IP Pools area, enter an IP address pool.
        To limit a user to a single IP address, specify a /30 or /32 IP address; Prisma Access assigns the user to that address. Since a /32 would provide only one IP address, we recommend a minimum subnet of /30 and restricting the user to that subnet.
      5. (Optional) Enter a Lease Period and a Grace Period for the user-to-IP address mapping.
      6. Save your changes.
    4. Verify your changes by going to GlobalProtectSettings on the client machine, viewing the Tunnel Statistics, and verifying the Assigned IP Address(es).

    © 2025 Palo Alto Networks, Inc. All rights reserved.