Focus

Prisma Access

Retrieve the IP Addresses for Prisma Access

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Release Notes
Select a Document
- 6.1 Preferred and Innovation
- 6.0 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
Activation & Onboarding
Administration
Select a Document
- 4.0 & Later
- Prisma Access China
Integrations
Incidents & Alerts

Remote Networks: Service Endpoint Address and Egress IP Address Allocation

API Examples for Retrieving Prisma Access IP Addresses

Retrieve the IP Addresses for Prisma Access

Learn about the infrastructure IP addresses that are used with Prisma Access and how to retrieve them using the API command.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama)	Prisma Access license

If you are manually adding IP addresses of your Prisma Access infrastructure to an allow list in your network, or if you're using an automation script to enforce IP-based restrictions to limit inbound access to enterprise applications, you should understand what these addresses do and why you need to allow them, as well as the tasks you perform to retrieve them.

Prisma Access does not provision these IP addresses until after you complete your Prisma Access configuration. After your deployment is complete, you retrieve these IP addresses using an API script. The API script uses an API key that you obtain from the Prisma Access UI and a .txt file you create which specifies the addresses you want to retrieve.

While you don't perform these tasks until after you complete your Prisma Access configuration, it's useful to understand these concepts in advance, so you understand what to do after your deployment is complete.

Retrieving IP addresses for Mobile Users—GlobalProtect Deployments: If you have a Mobile Users—GlobalProtect deployment:

You can retrieve the public IP addresses using the Prisma Access UI instead of using the API.
If you have IPv6 enabled for your deployment, Prisma Access allocates an IPv6 subnet and uses addresses in that subnet for autoscale events instead of specific IPv6 addresses.

The public IP addresses are unique and not shared with any other Prisma Access deployment. If an IP address allocated to you by Palo Alto Networks remains unused for six months, it will be reclaimed. This includes IP addresses that were activated and then deactivated, and have remained deactivated for six months. For instance, if public IP addresses were allocated to your tenant for a specific location and that location was not enabled for six months, Prisma Access may reclaim those IP addresses. Similarly, if you onboarded and then deboarded a mobile user location, Palo Alto Networks can reclaim the IP address used for that location six months after deboarding.

Retrieve the IP Addresses for Prisma Access (Strata Cloud Manager)

Learn about the infrastructure IP addresses that are used with Prisma Access Strata Cloud Manager and how to retrieve them using the API command.

Prisma Access Infrastructure IP Addresses

The following table provides you with a list of the IP address that Prisma Access uses for each deployment type, along with the keyword you use when you run the API script to retrieve the IP addresses, and whether or not you need to add them to an allow list.

Deployment Type	IP Address Type	Description
Mobile User	Prisma Access gateway (gp_gateway)	Retrieves the gateway IP addresses. Add both gateway and portal IP addresses to allow lists for your mobile user deployments. Mobile users connect to a Prisma Access gateway to access internal or internet resources, such as SaaS or public applications, for which you have provided access.
	Prisma Access portal (gp_portal)	Retrieves the portal IP addresses. Add both gateway and portal IP addresses to allow lists for your mobile user deployments. Mobile users log in to the Prisma Access portal to receive their initial configuration and gateway location.
	Network Load Balancer (network_load_balancer)	ingress IP addresses (IP Optimization deployments only).
	Loopback IP addresses	This address is the source IP address used by Prisma Access for requests made to an internal source, and is assigned from the infrastructure. Add the loopback IP address to an allow list in your network to give Prisma Access to internal resources such as RADIUS or Active Directory authentication servers. Palo Alto Networks recommends that you allow all the IP addresses of the entire infrastructure subnet in your network, because loopback addresses for mobile users can change.
Mobile Users—Explicit Proxy	Authentication Cache Service (ACS)	The address for the Prisma Access service that stores the authentication state of the explicit proxy users. This address is only used for Mobile User (Explicit Proxy) deployments.
Mobile Users—Explicit Proxy	Network Load Balancer	The address that Prisma Access uses for the network load balancer.
Remote Network	Remote Network IP addresses (remote_network)	Includes Service IP Addresses that Prisma Access assigns for the Prisma Access remote network connection, and egress IP addresses that Prisma Access uses to make sure that remote network users get the correct default language for their region. Add these addresses to allow lists in your network to give Prisma Access to internet resources.
Remote Network	Loopback IP addresses	This is the source IP address used by Prisma Access for requests made to an internal source, and is assigned from the infrastructure subnet. Add the loopback IP address to an allow list to give Prisma Access to internal resources such as RADIUS or Active Directory authentication servers.

Run the API Script Used to Retrieve IP Addresses

Use the following steps to retrieve the IP addresses that Prisma Access uses in its infrastructure.

This command does not retrieve loopback addresses; to retrieve loopback IP addresses, use the legacy API command.

Get the API key.
You need this key to authenticate to Prisma Access and retrieve the list of IP addresses using the API command.
1. Go to Prisma Access (Managed by Strata Cloud Manager), and select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessPrisma Access InfrastructureInfrastructure Settings.
2. Select Generate New API Key.
  
  If you have already generated an API key, the current key displays. If you have not yet generated a key or want to replace the existing key to meet audit or compliance check for key rotation, click Generate New API Key for a new key.

Create a .txt file and put the API command options in the file.

Using the API the command to use is a two-step process. First, you create a .txt file, specifying the parameters for the IP addresses to retrieve, and save the file in a folder that is reachable from the location where you run the command. Then, you run the API and specify the name and location of the .txt file you created in the command.

Specify the following keywords and arguments in the .txt file. The examples in this topic use a filename of option.txt but you can specify any filename, as long as you reference it in the command.

Argument	Possible Choices (Keywords)	Comments
serviceType	all remote_network gp_gateway gp_portal swg_proxy rbi	all—Retrieves IP addresses you need to add to an allow list for all service types (Remote Networks, Mobile Users (both gateways and portals), and Clean Pipe, as applicable to your deployment). remote_network—Retrieves IP addresses you need to add to an allow list for remote network deployments. gp_gateway—Retrieves the gateway IP addresses you need to add to an allow list for mobile user deployments. gp_portal —Retrieves the portal IP addresses you need to add to an allow list for mobile user deployments. swg_proxy—Retrieves the egress IP addresses for each deployed Explicit Proxy location and the authentication cache service (ACS). rbi—Retrieves the egress IP addresses you need to add to an allow list for Remote Browser Isolation (RBI) deployments to connect to SaaS Applications.
addrType	all active service_ip auth_cache_service network_load_balancer	all or active—Retrieves all the IP addresses you need to add to an allow list. This API does not retrieve loopback IP addresses. To retrieve loopback IP addresses, use the legacy API command. service_ip—Retrieves the Service IP Address, which you use as the peer IP address when you set up the IPSec tunnel for the remote network connection. auth_cache_service—Retrieves the IP address for the explicit proxy ACS (applicable to Mobile Users—Explicit Proxy deployments only). network_load_balancer—Retrieves the IP addresses for the network load balancer (deployments with IP Optimization enabled only). If you have implemented IP Optimization, be sure you review the allow listing considerations and how to implement the gp_gateway and network_load_balancer IP addresses in your deployment.
actionType	pre_allocate	`Mobile User deployments only`—An actionType of pre_allocate allows you to retrieve IP addresses or subnets for Prisma Access gateways and portals for mobile user deployments. Use this with a serviceType of gp_gateway to retrieve pre-allocated gateway IP addresses and a serviceType of gp_portal to retrieve preallocated gateway IP addresses. Retrieving the preallocated IP addresses lets you add the gateway and portal IP addresses to your organization’s allow lists before you onboard mobile user locations, which in turn gives mobile users access to external SaaS apps immediately after you onboard the locations.
location	all deployed	all—Retrieves the IP addresses from all locations. For mobile user deployments, this keyword retrieves the IP addresses for both locations you added during onboarding, and locations you did not add. deployed—Retrieves IP addresses in all locations that you added during mobile user onboarding. This keyword is applicable to mobile user deployments only. Prisma Access associates IP addresses for every mobile user location during provisioning, even if you did not select that location during mobile user onboarding. If you specify all, the API command retrieves the IP addresses for all mobile user locations, including ones you did not select for the deployment. If you specify deployed, the API command retrieves only the IP addresses for the locations you selected during onboarding.

Specify the options in the .txt file in the following format:

  {
   "serviceType": "service-type",   
   "addrType": "address-type",
   "location": "location"
   }

Enter the following command to retrieve the IP addresses:
- To use the newer API that was introduced in Prisma Access 2.1, enter the following command:
  curl -X POST --data @option.txt -H header-api-key:Current-API-Key "https://api.prod.datapath.prismaaccess.com/getPrismaAccessIP/v2"
  As of May 2023, some Cloud managed deployments use https://api.prod6.datapath.prismaaccess.com/getPrismaAccessIP/v2 (note the prod6 in the URL instead of prod).
- To use the legacy API, enter the following command. This command uses a legacy API endpoint that will be deprecated in May 2022:
  curl -X POST --data @option.txt -k -H header-api-key:Current-API-Key "https://api.gpcloudservice.com/getPrismaAccessIP/v2"
Where option.txt is the .txt file you created in a previous step and Current-API-Key is the Prisma Access API key.
For example, given a .txt filename of option.txt and an API key of 12345abcde, use the following API command to retrieve the public IP address for all locations:
```
  curl -X POST --data @option.txt -H header-api-key:12345abcde "https://api.prod.datapath.prismaaccess.com/getPrismaAccessIP/v2"
```
The API command can return a large amount of information. To make the output more readable, if you have Python installed, you can add | python -m json.tool at the end of the cURL command.

The API command returns the addresses in the following format. The following IPs are example addresses only:
```
{
    "status": "success",
    "result": [
        {
            "address_details": [
                {
                    "address": "169.2.3.4",
                    "serviceType": "gp_gateway",
                    "addressType": "active",
                    "create_time": 1743636318,
                    "allow_listed": true
                },
                {
                    "address": "137.4.5.6",
                    "serviceType": "gp_gateway",
                    "addressType": "active",
                    "create_time": 1743636318,
                    "allow_listed": true
                },
                {
                    "address": "169.7.8.9",
                    "serviceType": "gp_gateway",
                    "addressType": "active",
                    "create_time": 1750812477,
                    "allow_listed": true
                },
                {
                    "address": "134.10.11.12",
                    "serviceType": "gp_gateway",
                    "addressType": "network_load_balancer",
                    "create_time": 1743636321
                }
            ],
            "zone": "US West",
            "addresses": [
                "169.2.3.4",
                "137.4.5.6",
                "169.7.8.9",
                "134.10.11.12"
            ],
            "zone_subnet": [
                "140.1.2.0/18",
                "168.1.2.0/21",
                "74.1.2.0/20",
                "128.1.2.0/17",
                "169.1.2.0/18",
                "165.1.0.0/16",
                "34.1.2.0/19",
                "134.1.0.0/16",
                "144.1.0.0/16",
                "208.1.0.0/16",
                "130.1.0.0/16",
                "134.1.2.0/17",
                "137.83.192.0/18",
                "165.1.2.0/17",
                "66.1.2.0/19",
                "34.1.2.0/23"
            ],
            "addresses_v6": [],
            "address_details_v6": [],
            "zone_subnet_v6": [
                "2606:f4c0:1111:13d4::/64",
                "2606:f4c0:2222:13d3::/64"
            ],
            "zone_subnet_v6_details": [
                {
                    "address": "2606:f4c0:1111:13d4::/64",
                    "addressType": "active",
                    "allow_listed": false
                },
                {
                    "address": "2606:f4c0:2222:13d3::/64",
                    "addressType": "network_load_balancer",
                    "allow_listed": false
                }
            ]
        }
```
Where:
- address_details shows the details of the address for each location.
  - serviceType shows the type of IP address (either remote network (remote_network), Prisma Access gateway (gp_gateway), Prisma Access portal (gp_portal), Clean Pipe (clean_pipe), or Remote Browser Isolation (rbi).
  - addressType specifies the type of address specified with the addrType keyword (either active or pre-allocated if you're preallocating IP addresses for mobile user locations).
  - address shows the IP address you need to add to your allow lists.
    If the API returns multiple IP addresses, Prisma Access summarizes the IP addresses in the addresses field.
- addresses lists all the IP addresses for the location that you need to add to your allow lists.
- zone is the Prisma Access location associated with the IP addresses.
- zone_subnet is the subnet for mobile user gateways and portals. Prisma Access also provides this subnet if you're preallocating IP addresses for mobile user locations.
- zone_subnet_details provides you with more information about the mobile user gateways and portals. Prisma Access also provides this subnet if you're preallocating IP addresses for mobile user locations.
- addresses_v6, address_details_v6, and zone_subnet_v6, are the IPv6 addresses equivalent to addresses. address_details, and zone_subnet, respectively.
  Prisma Access provides you with IPv6 subnets instead of IP addresses when you have enabled IPv6; for this reason, you will see zone_subnet_v6 addresses.
- zone_subnet_v6_details provides you with more information about the IPv6 addresses.
  - address is the IPv6 address that was allocated.
  - addressType (either either active pre-allocated, or network_load_balancer which provides you with the ingress IP addresses (IP Optimization deployments only).
  - allow_listed shows you whether or not these IP addresses have been added to your allow lists and specified as such in the Prisma Access UI.
If there are any problems with the options in the .txt file, the API returns an error similar to the following:
```
  {"status": "error","result": "Invalid json format in the request. trace_id: xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx "}
```
Update the allow lists on your on-premises servers or SaaS application policy rules with the IP addresses you retrieved.

API Command Examples

Use the following examples when entering keywords and arguments in the .txt file for the API command. To change the output of the command, change the options in the .txt file; the command itself does not change.

Retrieve These IP Addresses	Specify These Parameters in the .txt File	Comments
Mobile User IP Addresses
All mobile user IP Addresses	{ "serviceType": "gp_gateway", "addrType": "all", "location": "all" }	An `addrType` of `all` means that Prisma Access retrieves all mobile user gateway IP addresses. A `location` of `all` means that Prisma Access retrieves IP addresses for all available locations, including ones that you have not onboarded. Prisma Access reserves non-onboarded location IP addresses so that you can add these IP addresses to your allow lists before you onboard them.
IP addresses for onboarded mobile user locations	{ "serviceType": "gp_gateway", "addrType": "all", "location": "deployed" }	A `location` type of `deployed` means that Prisma Access retrieves only the IP addresses for the locations that you selected during mobile user onboarding.
All active IP Addresses for onboarded mobile user locations	{ "serviceType": "gp_gateway", "addrType": "active", "location": "deployed" }	An `addrType` of `active` means that Prisma Access retrieves only the IP addresses for the locations you onboarded.
Remote Network IP Addresses
Retrieve all remote network IP addresses	{ "serviceType": "remote_network", "addrType": "all", "location": "all" }	This command retrieves the public and egress IP addresses of remote networks you have onboarded. Don't use a `location` of `deployed`. You can use an `addrType` of `active` but it retrieves the same addresses as if you specified an `addrType` of `all`.
Explicit Proxy IP Addresses
Retrieve the ACS IP addresses for deployed locations	{ "serviceType": "swg_proxy", "location": "deployed", "addrType": "auth_cache_service" }	This command retrieves the ACS IP address for your explicit proxy deployment. Entering an `addrType` of `all` retrieves all address types.
Remote Browser Isolation IP Addresses
Retrieve the Remote Browser Isolation (RBI) IP addresses for deployed locations	{ "serviceType": "rbi", "location": "all", "addrType": "all" }	This command retrieves the egress IP addresses for each deployed RBI location. You can add these IP addresses to an allow list to connect to SaaS Applications.

Legacy Scripts Used to Retrieve IP and Loopback Addresses

The following table shows the keywords and parameters that are available in the legacy API scripts used with Prisma Access, and provides information and recommendations about which API to use for the type of deployment you have.

These legacy commands retrieve two types of IP addresses, public IP and egress IP addresses. We provide you with two different legacy API commands so that you can retrieve all the IP addresses you need to add to an allow list.

A public IP address is the source IP address that Prisma Access uses for requests made to an internet-based source. Add the public IP address to an allow list in your network to give Prisma Access to internet resources such as SaaS applications or publicly accessible partner applications.
Mobile user, remote network, and clean pipe deployments use public IP addresses.
An egress IP address is an IP address that Prisma Access uses for egress traffic to the internet, and you must also add these addresses to an allow list to give Prisma Access access to internet resources.
Among other purposes, Prisma Access uses egress IP addresses so that users receive webpages in the language they expect from a Prisma Access location. All locations have public IP addresses; however, not all locations have egress IP addresses. The following locations don't use egress IP addresses:
- Bahrain
- Belgium
- France North
- France South
- Hong Kong
- Ireland
- South Korea
- Taiwan
- United Kingdom
Mobile user, remote network, and clean pipe deployments use egress IP addresses.

Commands Used in Mobile User Deployments
Command Name	Comments
get_egress_ip_all=yes command curl -k -H header-api-key:`Current-API-Key`"https://api.gpcloudservice.com/getAddrList/latest?get_egress_ip_all=yes	This command retrieves all the IP addresses that you add to an allow list to give Prisma Access to internet resources such as SaaS applications or publicly accessible partner applications. This command has the following constraints: This command can retrieve a large number of addresses (more than 200). If your enterprise can't add this number of IP addresses to an allow list, you can use the `gpcs_gp_gw` and `gpcs_gp_portal` keywords to retrieve only the IP addresses you're currently using; however you will have to rerun these commands every time you add a location. In addition, if a scaling event occurs, you will need to the new IP addresses to an allow list. Prisma Access does not list the locations that are associated with these IP addresses; therefore, we recommend that you all the IP addresses that are returned with this command to an allow list. This command does not give you loopback addresses.
gpcs_gp_gw and gpcs_gp_portal keywords curl -k -H header-api-key:`Current-API-Key`"https://api.gpcloudservice.com/getAddrList/latest?fwType=`gpcs_gp_gw` \| `gpcs_gp_portal`&addrType=`public_ip` \| `egress_ip_list` \| `loopback_ip`"	Use this command if your deployment limits the amount of IP addresses you can add to an allow list. Add all IP addresses returned with this command to an allow list in your network. You can also retrieve the loopback IP addresses with this command.

Commands Used in Remote Network Deployments
Command Name	Comments
gpcs_remote_network keyword curl -k -H header-api-key:`Current-API-Key`"https://api.gpcloudservice.com/getAddrList/latest?fwType=`gpcs_remote_network` &addrType=`public_ip` \| `egress_ip_list` \| `loopback_ip`"	Use this command to find the IP addresses that you need to add to an allow list for remote network deployments. You can also use this command to find the egress IP addresses for remote network deployments; the egress and IP addresses can be different in some situations.

Commands Used in Clean Pipe Deployments
Command Name	Comments
gpcs_clean_pipe keyword curl -k -H header-api-key:`Current-API-Key`"https://api.gpcloudservice.com/getAddrList/latest?fwType=`gpcs_clean_pipe`&addrType=`public_ip` \| `egress_ip_list` \| `loopback_ip`"	Use this command to find the IP addresses that you need to add to an allow list for clean pipe deployments.

Retrieve Public and Egress IP Addresses for Mobile User Deployments

This legacy script has been superseded by a by a newer API script. Palo Alto Networks recommends that you use the newer script to retrieve all IP addresses except for loopback addresses.

If you're adding public IP addresses to allow lists to give mobile users access to SaaS or public applications, Prisma Access provides two IP addresses for each gateway and portal IP address so that one IP address can be used during a scaling or other event. You can add this set of IP addresses to an allow list before they are used, preventing any issues with mobile users being able to access SaaS or public applications during a scaling event.

Retrieve these new addresses by completing the following task:

Get the API key by selecting ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessPrisma Access InfrastructureInfrastructure SettingsGenerate New API Key.

You need this key to authenticate to Prisma Access and retrieve the list of IP addresses using the cURL command listed below. Only a Panorama administrator or superuser can generate or access this API key.
Enter the following command to retrieve the mobile user public IP addresses:
```
  curl -k -H header-api-key:Current-API-Key "https://api.gpcloudservice.com/getAddrList/latest?get_egress_ip_all=yes"
```
Where Current-API-Key is the Prisma Access API key.
For example, given an API key of 12345abcde, use the following API command to retrieve the public IP address for all locations:
```
  curl -k -H header-api-key:12345abcde "https://api.gpcloudservice.com/getAddrList/latest?get_egress_ip_all=yes"
```

Retrieve Public, Loopback, and Egress IP Addresses

To retrieve public, loopback, and egress IP addresses, complete the following steps.

Retrieve the public IP addresses, loopback IP addresses, or both for Prisma Access.

Use the API key and the API endpoint URL either manually or in an automation script:

  header-api-key:Current
API Key "https://api.gpcloudservice.com/getAddrList/latest?fwType=$fwType&addrType=$addrType"

Where you need to replace Current API Key with your API key and use one or both of the following keywords and arguments:

Keyword	Description
fwType keyword
gpcs_gp_gw	Retrieves Prisma Access gateway IP addresses (for mobile user deployments).
gpcs_gp_portal	Retrieves Prisma Access portal IP addresses (for mobile user deployments).
gpcs_remote_network	Retrieves Prisma Access remote network IP addresses (for remote network deployments).
gpcs_clean_pipe	Retrieves Prisma Access Clean Pipe IP addresses.
addrType keyword
public_ip	Retrieves the source IP addresses that Prisma Access uses for requests made to an internet-based source. For mobile user locations, Prisma Access lists the IP addresses by location. For remote networks, Prisma Access lists the IP addresses by remote network name.
egress_ip_list	Retrieves the IP addresses that Prisma Access uses with public IP addresses for additional egress traffic to the internet. For mobile user locations, Prisma Access lists the IP addresses by location. For remote networks, Prisma Access lists the IP addresses by remote network name.
loopback_ip	Retrieves the source IP addresses used by Prisma Access for requests made to an internal source (for example, a RADIUS or Active Directory server), and is assigned from the infrastructure subnet.

If you don’t specify a keyword, Prisma Access retrieves all IP addresses.

For example, you can try the following cURL command to manually retrieve the list of public IP addresses for all remote networks:

curl -k -H header-api-key:1234y9ydxb__0UmxetVTbC8XTyFMaoT4RBZBKBjfX419YVufeFG7 "https://api.gpcloudservice.com/getAddrList/latest?fwType=gpcs_remote_network&addrType=public_ip"

Or use a simple python script to retrieve the list of all IP addresses, for example:

  #!/usr/bin/python
import subprocess
import json
api_key = '1234y9ydxb__0UmxetVTbC8XTyFMaoT4RBZBKBjfX419YVufeFG7' # Replace with your key
api_end_point = 'https://api.gpcloudservice.com/getAddrList/latest' # This call retrieves IP addresses for all your Prisma Access firewalls
args = ['curl', '-k', '-H', 'header-api-key:' +  api_key, api_end_point]
p = subprocess.Popen(args, stdout=subprocess.PIPE)
output = p.communicate()
dout = json.loads(output[0])
addrStrList = dout['result']['addrList']
addrList = []
for addr_str in addrStrList:
    addrList.append(addr_str.split(":")[1])
print(addrList)

Update the allow lists on your on-premises servers or SaaS application policy rules with the IP addresses you retrieved.

Pre-Allocate IP Addresses for Mobile User Locations

Prisma Access uses gateway and portal IP addresses for Mobile Users—GlobalProtect deployments, and authentication cache service (ACS) for Mobile Users—Explicit Proxy deployments. Mobile Users—GlobalProtect IP addresses are known as egress IP addresses. If you need to pre-allocate mobile user IP addresses before you onboard the location (for example, if your organization needs to add the IP addresses for Mobile Users—GlobalProtect deployments to allow lists to give mobile users access to external SaaS applications), you can run an API script to have Prisma Access pre-allocate these IP addresses for a location ahead of time, before you onboard it. You can then add the location’s egress IP addresses to your organization’s allow lists before onboarding the location.

The API response also includes the public IP pool subnets for the egress IP addresses for the requested location. The egress IP addresses of any locations you add are a part of this subnet. Adding the subnets to your allow lists provides for future location additions without further allow list modification.

Prisma Access does not pre-allocate your IP addresses and subnets unless you request them using the API script. After you run the pre-allocation script, they have a validity period of 90 days. The public IP addresses are unique and not shared with any other Prisma Access deployment. If an IP address allocated to you by Palo Alto Networks remains unused for six months, it will be reclaimed. This includes IP addresses that were activated and then deactivated, and have remained deactivated for six months. For instance, if public IP addresses were allocated to your tenant for a specific location and that location was not enabled for six months, Prisma Access may reclaim those IP addresses. Similarly, if you onboarded and then deboarded a mobile user location, Palo Alto Networks can reclaim the IP address used for that location six months after deboarding.

Palo Alto Networks recommends that you only pre-allocate IP addresses for locations that you want to onboard later.

To pre-allocate IP addresses, complete the following task.

Retrieve the Prisma Access API key.
Pre-allocate the mobile user egress IP addresses by creating a .txt file and specifying the following options in the .txt file you create.
Enter the following text in the .txt file:
- Mobile Users—GlobalProtect Deployments:
  { "actionType": "pre_allocate", "serviceType": "gp_gateway", "location": ["location"] }
- Mobile Users—Explicit Proxy Deployments:
  { "actionType": "pre_allocate", "serviceType": "swg_proxy", "location": ["location"]}
Where location is the Prisma Access location where you want to pre-allocate the IP addresses.
Enter a maximum of 12 locations. Entering more than 12 locations might cause timeout errors when Prisma Access retrieves the pre-allocated IP addresses.
Enter this CURL command.
Retrieve the IP addresses and subnets you requested, including their validity period, by reopening the .txt file, removing the existing information, and editing it.
- Mobile Users—GlobalProtect Deployments:
  - To request Prisma Access to retrieve all pre-allocated IP addresses, enter the following text in the .txt file.
    { "serviceType": "all", "addrType": "pre_allocated", "location": "all" }
  - To request Prisma Access to retrieve all pre-allocated IP addresses for Prisma Access gateways for a given location, enter the same information in the .txt file but substitute “all” with “gp_gateway” in the .txt file.
  - To request Prisma Access to retrieve all pre-allocated IP addresses for Prisma Access portals for a given location, enter the same information in the .txt file but substitute “all” with “gp_portal” in the .txt file.
- Mobile Users—Explicit Proxy Deployments:
  To request that Prisma Access pre-allocate all IP addresses you need to add to allow lists for an explicit proxy deployment, enter the following text in the .txt file.
  { "actionType": "pre_allocate", "serviceType": "swg_proxy", "location": ["all"] }
Palo Alto Networks recommends that you enter all so you can retrieve all required pre-allocated egress IP addresses to add to your allow lists.

For Mobile Users—GlobalProtect deployments, the API command can return a large amount of information. To make the output more readable, if you have Python installed, you can add | python -m json.tool at the end of the cURL command.

Reenter this CURL command to retrieve the pre-allocated addresses.

Prisma Access returns the information in the following format:

    "result": [
       {
            "zone": "prisma-access-zone1",
            "addresses": [
  ["ip-address1","ip-address2"]
            "zone_subnet" :  
  [subnet-and-mask1","subnet-and-mask2"]
            "address_details":[
                          {"address":"ip-address1",
                           "service_type":"service-type",                         
                            "addressType":"pre-allocated",
                           "expiring_in" : "validity-period" },
                          {"address":"ip-address2",
                           "service_type":"gp_gateway",
                           "addressType":"pre-allocated",
                           "validity_period_remaining" : "90 days" } ,        
         },

Where the variables represent the following API command output:

Variable	Explanation
`prisma-access-zone1`	The Prisma Access location for which pre-allocated IP addresses were retrieved.
`ip-address1` and `ip-address2`	The egress IP addresses that Prisma Access has pre-allocated for the specified location. Prisma Access retrieves two IP addresses for each location; you must add both of these IP addresses to your allow lists.
`subnet-and-mask1` and `subnet-and-mask2`	The subnets that Prisma Access has pre-allocated and reserved for the egress IP addresses in your deployment.
`service-type`	The type of the pre-allocated egress IP address (either gp_portal for a Prisma Access portal or gp_gateway for a Prisma Access gateway).
`validity-period`	The remaining time, in days, for which the pre-allocated IP address is valid. Onboard your mobile user location before the IP addresses’ validity period ends. If the pre-allocated IP addresses expire, you can rerun the API script to retrieve another set of pre-allocated IP addresses.

You could receive an error if you attempt to pre-allocate IP addresses for locations that meet one of the following criteria:

You have already onboarded the location.
You onboarded, then deleted the location.
In this case, enter the following text in the .txt file to retrieve the Mobile Users—GlobalProtect IP addresses for the location:
```
  {
"serviceType": "gp_gateway",
"addrType": "all",
"location": "all"
   }
```
You have reached the maximum number of mobile user locations allowed by your license and can't add any more locations.
You entered the location name incorrectly.
You entered a serviceType other than gp_gateway.
you entered an actionType other than pre_allocate.

Set Up Prisma Access IP Address Change Notifications

Set up a notification to be informed of when Prisma Access IP addresses change.

To be notified of public IP address changes for remote networks and loopback IP address changes for service connections, remote network connections, and mobile users, you can specify a URL at which you can be alerted of a change. Prisma Access uses an HTTP POST request to send the notification. This POST request includes the following notification data in JSON format:

  {"addrType": "public_ip", "addrChangeType": "add", "utc_timestamp": "2019-01-31 23:08:19.383894", "text": "Address List Change Notification"}

  {"addrType": "public_ip", "addrChangeType": "delete", "utc_timestamp": "2019-01-31 23:13:35.882151", "text": "Address List Change Notification"}

  {"addrType": "loopback_ip", "addrChangeType": "update", "utc_timestamp": "2019-01-31 23:29:27.100329", "text": "2018-05-11 23:29:27.100329"}

When you receive a notification, you must follow a two-step process. First, you must manually or programatically retrieve the IP or loopback addresses. Then, you must update the IP addresses in your organization’s appropriate allow list to ensure that users don't experience any disruption in service.

Prisma Access sends this notification a few seconds before the new IP address becomes active. We recommend that you use automation scripts to both retrieve and add the new IP addresses to an allow list in your network.

To add an IP notification URL, complete the following task.

Go to ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessPrisma Access InfrastructureInfrastructure Settings.
Add an Egress IP Notification URL where you can be notified of IP address changes in your Prisma Access infrastructure.

You can specify an IP address or an FQDN to an HTTP or HTTPS web service that is listening for change notifications. Prisma Access sends these notifications from the internet using a public IP address.
You don't need to push your configuration for the notification URL to take effect.

Retrieve the IP Addresses for Prisma Access (Panorama)

Learn about the infrastructure IP addresses that are used with Prisma Access Panorama and how to retrieve them using the API command.

If you are manually adding IP addresses of your Prisma Access infrastructure to an allow list in your network, or if you are using an automation script to enforce IP-based restrictions to limit inbound access to enterprise applications, you should understand what these addresses do and why you need to allow them, as well as the tasks you perform to retrieve them.

If you have a Mobile Users—GlobalProtect deployment, you can use the Prisma Access UI instead of this API to manage public IP address allocation and confirm that the IP addresses have been added to your allow lists before Prisma Access releases the IP addresses. In this way, Prisma Access only provisions the IP addresses that you have allow listed.

The following table provides you with a list of the IP address that Prisma Access uses for each deployment type, along with the keyword you use when you run the API script to retrieve the IP addresses, and describes whether or not you should add them to your organization’s allow lists.

Deployment Type	IP Address Type	Description
Mobile Users—GlobalProtect	Prisma Access gateway (gp_gateway)	Gateway IP addresses. You must add both gateway and portal IP addresses to allow lists for your mobile user deployments. Mobile users connect to a Prisma Access gateway to access internal or internet resources, such as SaaS or public applications, for which you have provided access. For mobile users, during initial deployment, Prisma Access assigns two IP addresses for each location you deploy.
	Prisma Access portal (gp_portal)	Portal IP addresses. You must add both gateway and portal IP addresses to allow lists for your mobile user deployments. Mobile users log in to the Prisma Access portal to receive their initial configuration and gateway location.
	Network Load Balancer (network_load_balancer)	ingress IP addresses (IP Optimization deployments only).
	Loopback IP addresses	The source IP address used by Prisma Access for requests made to an internal source, and is assigned from the Configure the Prisma Access Service Infrastructure (Panorama). Add the loopback IP address to an allow list in your network to give Prisma Access to internal resources such as RADIUS or Active Directory authentication servers. Palo Alto Networks recommends that you allow all the IP addresses of the entire infrastructure subnet in your network, because loopback IP addresses can change. To find the infrastructure subnet, select PanoramaCloud ServicesStatusNetwork DetailsService Infrastructure. The subnet displays in the Infrastructure Subnet area. To retrieve loopback IP addresses, use the legacy API script.
Mobile Users—Explicit Proxy	Authentication Cache Service (ACS)	The address for the Prisma Access service that stores the authentication state of the explicit proxy users. This address is only used for explicit proxy for mobile users.
Mobile Users—Explicit Proxy	Network Load Balancer	The address that Prisma Access uses for the network load balancer.
Remote Network	Remote Network IP addresses (remote_network)	The Service IP Addresses that Prisma Access assigns for the Prisma Access remote network connection, and Remote Networks: Service Endpoint Address and Egress IP Address Allocation that Prisma Access uses to make sure that remote network users get the correct default language for their region. Add these addresses to allow lists in your network to give Prisma Access to internet resources.
Remote Network	Loopback IP addresses	The source IP address used by Prisma Access for requests made to an internal source, and is assigned from the Configure the Prisma Access Service Infrastructure (Panorama). Add the loopback IP address to an allow list to give Prisma Access to internal resources such as RADIUS or Active Directory authentication servers. To retrieve loopback IP addresses, use the legacy API script.
Clean Pipe	Clean Pipe IP Addresses (clean_pipe)	Add these IP addresses to an allow list to give the Clean Pipe service access to internet resources.
Clean Pipe	Loopback IP addresses	The source IP address used by Prisma Access for requests made to an internal source, and is assigned from the Configure the Prisma Access Service Infrastructure (Panorama). Add the loopback IP address to an allow list to give Prisma Access to internal resources such as RADIUS or Active Directory authentication servers. To retrieve loopback IP addresses, use the legacy API script.

Run the API Script Used to Retrieve Prisma Access IP Addresses

Use the API script described here to retrieve the IP addresses that are required for your deployment.

Prisma Access provides an API script that you can use to retrieve the public and private IP addresses it uses in its infrastructure. If you need to add public IP addresses to allow lists in your organization’s network, use the following steps to retrieve these IP addresses with the API script.

This command does not retrieve loopback addresses; to retrieve loopback IP addresses, use the legacy API.

Get the API key.
You need this key to authenticate to Prisma Access and retrieve the list of IP addresses using the API command. Only a Panorama administrator or Superuser can generate or access this API key.
1. Select PanoramaCloud ServicesConfigurationService Setup.
2. Select Generate API Key.
  
  If you have already generated an API key, the Current Key displays. If you haven’t yet generated a key or want to replace the existing key to meet audit or compliance check for key rotation, click Generate New API Key for a new key.

Create a .txt file and put the API command options in the file.

Specify the following keywords and arguments in the .txt file. See API Examples for Retrieving Prisma Access IP Addresses for examples. The examples in this document use a file name of option.txt but you can specify any file name, as long as you reference it in the command.

Argument	Possible choices (keywords)	Comments
serviceType	all remote_network gp_gateway gp_portal clean_pipe swg_proxy rbi	all—Retrieves IP addresses you need to add to an allow list for all service types (Remote Networks, Mobile Users (both gateways and portals), and Clean Pipe, as applicable to your deployment). remote_network—Retrieves IP addresses you need to add to an allow list for remote network deployments. gp_gateway—Retrieves the Mobile Users—GlobalProtect gateway IP addresses you need to add to an allow list for mobile user deployments. gp_portal —Retrieves the Mobile Users—GlobalProtect portal IP addresses you need to add to an allow list for mobile user deployments. clean_pipe—Retrieves the IP addresses you need to add to an allow list for clean pipe deployments. swg_proxy—Retrieves the egress IP addresses for each deployed Explicit Proxy location and the authentication cache service (ACS). rbi—Retrieves the egress IP addresses you need to add to an allow list for Remote Browser Isolation (RBI) deployments to connect to SaaS Applications.
addrType	all active service_ip auth_cache_service network_load_balancer	all or active—Retrieves all the IP addresses you need to add to an allow list. This API does not retrieve loopback IP addresses. To retrieve loopback IP addresses, use the legacy API. service_ip—Retrieves the Service IP Address, which you use as the peer IP address when you set up the IPSec tunnel for the remote network connection. auth_cache_service—Retrieves the IP address for the explicit proxy ACS (applicable to Explicit Proxy deployments only). network_load_balancer—Retrieves the IP addresses for the network load balancer (deployments with IP Optimization enabled only). If you have implemented IP Optimization, be sure you review the allow listing considerations and how to implement the gp_gateway and network_load_balancer IP addresses in your Mobile Users—GlobalProtect deployment.
actionType	pre_allocate	`Mobile User deployments only`—An actionType of pre_allocate allows you to retrieve IP addresses or subnets for Prisma Access gateways and portals for mobile user deployments. Use this with a serviceType of gp_gateway to retrieve pre-allocated gateway IP addresses and a serviceType of gp_portal to retrieve pre-allocated portal IP addresses. Retrieving the pre-allocated IP addresses lets you add the gateway and portal IP addresses to your organization’s allow lists before you onboard mobile user locations, which in turn gives mobile users access to external SaaS apps immediately after you onboard the locations.
location	all deployed	all—Retrieves the IP addresses from all locations. For mobile user deployments, this keyword retrieves the IP addresses for both locations you added during onboarding, and locations you did not add. deployed—Retrieves IP addresses in all locations that you added during mobile user onboarding. This keyword is applicable to mobile user deployments only. Prisma Access associates IP addresses for every mobile user location during provisioning, even if you didn’t select that location during mobile user onboarding. If you specify all, the API command retrieves the IP addresses for all mobile user locations, including ones you didn’t select for the deployment. If you specify deployed, the API command retrieves only the IP addresses for the locations you selected during onboarding.

Specify the options in the .txt file in the following format:

  {
   "serviceType": "service-type",   
   "addrType": "address-type",
   "location": "location"
   }

Enter the following command to retrieve the IP addresses:
- To use the newer API that was introduced in Prisma Access 2.1, enter the following command:
  curl -X POST --data @option.txt -H header-api-key:Current-API-Key "https://api.prod.datapath.prismaaccess.com/getPrismaAccessIP/v2"
  As of May 2023, some Panorama managed deployments use https://api.prod6.datapath.prismaaccess.com/getPrismaAccessIP/v2 (note the prod6 in the URL instead of prod).
- To use the legacy API, enter the following command. This command uses a legacy API endpoint that will be deprecated in May 2022:
  curl -X POST --data @option.txt -k -H header-api-key:Current-API-Key "https://api.gpcloudservice.com/getPrismaAccessIP/v2"
Where option.txt is the .txt file you created in a previous step and Current-API-Key is the Prisma Access API key.

For example, given a .txt filename of option.txt and an API key of 12345abcde, use the following API command to retrieve the public IP address for all locations:
```
  curl -X POST --data @option.txt -H header-api-key:12345abcde "https://api.prod.datapath.prismaaccess.com/getPrismaAccessIP/v2"
```
The API command can return a large amount of information. To make the output more readable, if you have Python installed, you can add | python -m json.tool at the end of the cURL command.

The API command returns the addresses in the following format:
```
{
    "status": "success",
    "result": [
        {
            "address_details": [
                {
                    "address": "169.2.3.4",
                    "serviceType": "gp_gateway",
                    "addressType": "active",
                    "create_time": 1743636318,
                    "allow_listed": true
                },
                {
                    "address": "137.4.5.6",
                    "serviceType": "gp_gateway",
                    "addressType": "active",
                    "create_time": 1743636318,
                    "allow_listed": true
                },
                {
                    "address": "169.7.8.9",
                    "serviceType": "gp_gateway",
                    "addressType": "active",
                    "create_time": 1750812477,
                    "allow_listed": true
                },
                {
                    "address": "134.10.11.12",
                    "serviceType": "gp_gateway",
                    "addressType": "network_load_balancer",
                    "create_time": 1743636321
                }
            ],
            "zone": "US West",
            "addresses": [
                "169.2.3.4",
                "137.4.5.6",
                "169.7.8.9",
                "134.10.11.12"
            ],
            "zone_subnet": [
                "140.1.2.0/18",
                "168.1.2.0/21",
                "74.1.2.0/20",
                "128.1.2.0/17",
                "169.1.2.0/18",
                "165.1.0.0/16",
                "34.1.2.0/19",
                "134.1.0.0/16",
                "144.1.0.0/16",
                "208.1.0.0/16",
                "130.1.0.0/16",
                "134.1.2.0/17",
                "137.83.192.0/18",
                "165.1.2.0/17",
                "66.1.2.0/19",
                "34.1.2.0/23"
            ],
            "addresses_v6": [],
            "address_details_v6": [],
            "zone_subnet_v6": [
                "2606:f4c0:1111:13d4::/64",
                "2606:f4c0:2222:13d3::/64"
            ],
            "zone_subnet_v6_details": [
                {
                    "address": "2606:f4c0:1111:13d4::/64",
                    "addressType": "active",
                    "allow_listed": false
                },
                {
                    "address": "2606:f4c0:2222:13d3::/64",
                    "addressType": "network_load_balancer",
                    "allow_listed": false
                }
            ]
        }
```
Where:
- address_details shows the details of the address for each location.
  - serviceType shows the type of IP address (either remote network (remote_network), Prisma Access gateway (gp_gateway), Prisma Access portal (gp_portal), Clean Pipe (clean_pipe), or Remote Browser Isolation (rbi).
  - addressType specifies the type of address specified with the addrType keyword (either active or pre-allocated if you're preallocating IP addresses for mobile user locations).
  - address shows the IP address you need to add to your allow lists.
    If the API returns multiple IP addresses, Prisma Access summarizes the IP addresses in the addresses field.
- addresses lists all the IP addresses for the location that you need to add to your allow lists.
- zone is the Prisma Access location associated with the IP addresses.
- zone_subnet is the subnet for mobile user gateways and portals. Prisma Access also provides this subnet if you're preallocating IP addresses for mobile user locations.
- zone_subnet_details provides you with more information about the mobile user gateways and portals. Prisma Access also provides this subnet if you're preallocating IP addresses for mobile user locations.
- addresses_v6, address_details_v6, and zone_subnet_v6, are the IPv6 addresses equivalent to addresses. address_details, and zone_subnet, respectively.
  Prisma Access provides you with IPv6 subnets instead of IP addresses when you have enabled IPv6; for this reason, you will see zone_subnet_v6 addresses.
- zone_subnet_v6_details provides you with more information about the IPv6 addresses.
  - address is the IPv6 address that was allocated.
  - addressType (either either active pre-allocated, or network_load_balancer which provides you with the ingress IP addresses (IP Optimization deployments only).
  - allow_listed shows you whether or not these IP addresses have been added to your allow lists and specified as such in the Prisma Access UI.
If there are any problems with the options in the .txt file, the API returns an error similar to the following:
```
  {"status": "error","result": "Invalid json format in the request. trace_id: xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx "}
```
Update the allow lists on your on-premises servers or SaaS application policy rules with the IP addresses you retrieved.

Remote Networks: Service Endpoint Address and Egress IP Address Allocation

API Examples for Retrieving Prisma Access IP Addresses

Prisma Access Docs

Retrieve the IP Addresses for Prisma Access

Prisma Access Docs

Retrieve the IP Addresses for Prisma Access

Retrieve the IP Addresses for Prisma Access (Strata Cloud Manager)

Prisma Access Infrastructure IP Addresses

Run the API Script Used to Retrieve IP Addresses

API Command Examples

Legacy Scripts Used to Retrieve IP and Loopback Addresses

Retrieve Public and Egress IP Addresses for Mobile User Deployments

Retrieve Public, Loopback, and Egress IP Addresses

Pre-Allocate IP Addresses for Mobile User Locations

Set Up Prisma Access IP Address Change Notifications

Retrieve the IP Addresses for Prisma Access (Panorama)

Run the API Script Used to Retrieve Prisma Access IP Addresses

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner