Prisma Access Setup

• Carefully select the infrastructure subnet you use. Changing it requires that you reach out to your Palo Alto Networks account representative, who will contact the Site Reliability Engineering (SRE) team and submit a request for the change. A maintenance window is required. Changing the infrastructure subnet without a maintenance window can result in a Prisma Access outage and inconsistent feature behavior.
• You can assign Prisma Access an infrastructure subnet from an existing supernet in your organization’s IP address pool, but do not assign any of the IP addresses from the infrastructure subnet for any other use in your existing network.
  The following example shows a Prisma Access infrastructure subnet, 10.10.1.0/24, that you assigned from an existing supernet, 10.0.0.0/8. After you assign 10.10.1.0/24 as the infrastructure subnet, your organization cannot use any IP addresses from that subnet. For example, you can assign 10.10.2.1 to an endpoint, but 10.10.1.1 is not allowed because that IP address is part of the infrastructure subnet.

• If you create a new subnet for the infrastructure subnet, use a subnet that does not overlap with other IP addresses you use internally.
• (Recommended) Use an RFC 1918-compliant subnet. While the use of non-RFC 1918-compliant (public) IP addresses is supported, we don't recommend it because of possible conflicts with internet public IP address space.
• Do not specify any subnets that overlap with the following IP addresses and subnets, because Prisma Access reserves those IP addresses and subnets for its internal use.
  • 169.254.0.0/16
  • 100.64.0.0/10
• The subnet cannot overlap with the IP address pools you plan to use for the address pools you assign for your mobile users deployment.
• Because the service infrastructure can be very large, you must designate a /24 subnet at a minimum.