Allow Listing for Mobile Users—GlobalProtect Deployments
Focus
Focus

Allow Listing for Mobile Users—GlobalProtect Deployments

Table of Contents

Allow Listing for Mobile Users—GlobalProtect Deployments

Learn how to retrieve your public IP addresses from the Prisma Access interface and how to mark them as being allowed to your allow lists.
To enable you to add the public (egress) IP addresses for your GlobalProtect—Mobile User deployment to any SaaS application allow lists you use within your organization, Prisma Access provides the IP addresses and lets you verify that you have added them to your allow list before using them in your environment. After you have added the egress IP addresses to your organization’s allow lists, you return to the Prisma Access UI, confirm the GlobalProtect egress IP addresses as being allow listed, and Commit and Push your changes. Prisma Access then releases these egress IP addresses and adds them to your deployment. If Prisma Access adds more IP address after initial configuration as a result of an autoscale event, you confirm the new egress IP addresses as being added before Prisma Access adds them to your deployment.
This method of egress IP address allocation has the following benefits:
  • It ensures that Prisma Access only provisions IP addresses that you have allow listed.
  • It prevents mobile users from attempting to connect to Prisma Access from an IP address that is blocked by your organization’s network. Prisma Access does not release IP addresses to your deployment until they have been confirmed by you as allow listed.
  • It provides a way to retrieve your current egress IP addresses without using the Prisma Access API.
Prisma Access allocates egress IP addresses in the following situations:
  • When you onboard your locations during mobile user onboarding.
    Prisma Access allocates two gateway IP addresses for each location you onboard.
    If you onboard a location, and other locations in the same compute location are experiencing an autoscale event, Prisma Access might allocate more than two IP addresses for the new location. In this situation, be sure that you add all these IP addresses to your allow lists and confirm all addresses as being Added to My Allow List.
  • During a large scaling event.
    If the number of mobile users exceeds the capacity of the two pre-allocated IP addresses, Prisma Access allocates one more set of two IP addresses.
    Autoscale events affect all the onboarded locations in a compute location. When an autoscale event occurs for a location and you have not yet confirmed the addresses as being added to your allow lists, all locations in that compute location will show an Autoscale Status of Not Allowed.
    To keep informed of any IP addresses that Prisma Access adds as a result of an autoscale event, you can set up a URL where Prisma Access will notify you of IP address changes.
You are not required to enable this functionality; you choose whether or not to let Prisma Access release the IP addresses until you have confirmed them as being allow listed in the UI.