Prisma Access
Static IP Address Allocation for Mobile Users—GlobalProtect Deployments
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Static IP Address Allocation for Mobile Users—GlobalProtect Deployments
Learn about the benefits of using a static IP address for mobile users in a Mobile
Users—GlobalProtect deployment.
Where Can I Use This? | What Do I Need? |
---|---|
|
To enable this functionality, reach out to your Palo Alto
Networks account representative or partner. |
Some legacy networks use IP address-based authorization to restrict users’ access to
internal or external resources. A
Prisma Access
Mobile Users—GlobalProtect
deployment assigns users an IP address from the mobile users IP address pool you
assign during onboarding, and this user-to-IP address mapping can change in
subsequent logins. To retain user-to-IP address mapping, Prisma Access
allows
you to assign static IP addresses to users. You can also allocate IP addresses based on the theater as well as users.
- Static IP Address Mapping for Users—By configuring a /32 address in the mobile user IP address pool, and using match criteria to associate that user with an IP address, you assign a static IP address thatPrisma Accessretains a specific user, allowing you to keep your current IP address-based security policy rules to control a user's access to resources.
- Theater-Based IP Address Mapping—You can also allocate IP addresses based on the theater your users are in. For example, you can create a /30 subnet for a specific theater. These IP addresses are static for that theater. You can apply access to resources based on theater by creating security policy rules using the IP addresses you specify for that theater.
Use the following guidelines when allocating static IP addresses:
- If you specify multiple IP pools,Prisma Accessevaluates the rules from top to bottom (similar to security policy rule processing) and assigns IP addresses based on the first match in the list of rules. For example, given a user in Europe who logs in to GlobalProtect,Prisma Accessevaluates the processing rules. If the user does not match theAny (Worldwide)rule with the /32 subnet,Prisma Accessassigns the user an IP address from one of the /24 subnets specified in theAfrica, Europe & Middle EastIP address pool.
- You must integrate yourPrisma Accessdeployment with the Cloud Identity Engine.
- Up to 7,000 IP address pool profiles are supported per tenant.
- The supported prefix length is between /24 and /32.
- For each Mobile UserClient IP Poolprofile you create:
- Up To 10 IP prefixes are supported.
- Up to 256 users are supported.
- Static IP addressing uses aLease Periodand aGrace Periodto specify how longPrisma Accesskeeps a user-to-IP address association.
- TheLease Periodis the amount of time the user-to-IP address mapping is valid after you allocate it.The default lease period is 86400 seconds (one day).The minimum lease period is 3600 seconds (one hour).The maximum lease period is 7776000 seconds (90 days).
- TheGrace Periodis the amount of time that, after a lease period expires,Prisma Accessretains that user-to-IP address mapping without assigning it to another user.The default grace period is 14400 seconds (4 hours).The minimum grace period is 60 seconds.The maximum grace period is 7776000 seconds (90 days).
Configure Static IP Address Allocation
To configure static IP address allocation in a
deployment, complete these steps.
- Go toand click the gear to highlight theWorkflowsPrisma Access SetupGlobalProtectInfrastructure Settings.
- Add aClient IP Poolfor the static IP addresses.
- (Optional) Assign a static IP address to a user.
- Give the IP address pool a uniqueName.
- SelectAnyof theTheatresto give a user access to allPrisma Accesstheaters; or to restrict a single user to a specific theater,Selectthe theater from the drop-down.
- Selecta user from the list ofUsers.
- In theIP Poolsarea, enter a pool with a prefix of /32.This is the IP address thatPrisma Accessassigns to the user.
- (Optional) Enter aLease Periodand aGrace Periodfor the user-to-IP address mapping.
- Saveyour changes.
- (Optional) Create an IP address pool based on a theater and, optionally, users.You can create these types of IP address and user-based pools:
- Enter a theater and don't specify a user. In this case,Prisma Accessprovides an IP address to any GlobalProtect user who logs in to that theater.
- Enter a theater ofAny (Worldwide)and enter specific users to match the IP address pool you specify. In this case,Prisma Accessprovides an IP address to any user who matches the users in the list.
- Enter a specific theater and enter specific users to match the IP address pool you specify. In this case,Prisma Accessprovides an IP address to any user who logs in from that theater and matches the users in the list.
- Give the IP address pool a uniqueName.
- Selectthe theater to which you want to restrict access, or selectAny (Worldwide)to match users from all theaters.
- (Optional)Selectone or more users from the list ofUsers.
- Add one or moreIP Poolswith a prefix between /24 and /32.These are the addresses thatPrisma Accessassigns to the user and theater. Since a /32 would provide only one IP address, we recommend a minimum subnet of /30.
- If you assigned one or more users to the IP Address pool, assign aLease Periodand aGrace Periodfor the user-to-IP address mapping.Enter the time in seconds. TheLease Periodis the amount of time the user-to-IP address mapping is valid after you allocate it.
- The default lease period is 86400 seconds (one day).
- The minimum lease period is 3600 seconds (one hour).
- The maximum lease period is 7776000 seconds (90 days).
TheGrace Periodis the amount of time that, after a lease period expires,Prisma Accessretains that address without assigning it to another user.- The default grace period is 14400 seconds (4 hours).
- The minimum grace period is 60 seconds.
- The maximum grace period is 7776000 seconds (90 days).
- Saveyour changes andPushthe configuration changes.
- Verify your changes by going toon the client machine, viewing theGlobalProtectSettingsTunnel Statistics, and verifying theAssigned IP Address(es).