Allow Listing for Mobile Users—GlobalProtect Deployments
Learn how to retrieve your public IP addresses from the
Prisma Access interface and how to mark them as being allowed to
your allow lists.
To enable you to add the
public (egress)
IP addresses for your GlobalProtect—Mobile User deployment
to any SaaS application allow lists you use within your organization,
Prisma Access provides the IP addresses and lets you verify that
you have added them to your allow list before using them in your
environment. After you have added the egress IP addresses to your
organization’s allow lists, you return to the Prisma Access UI,
confirm the GlobalProtect egress IP addresses as being allow listed,
and
Commit and Push your changes. Prisma
Access then releases these egress IP addresses and adds them to
your deployment. If Prisma Access adds more IP address after initial
configuration as a result of an autoscale event, you confirm the
new egress IP addresses as being added before Prisma Access adds
them to your deployment.
This method of egress IP address allocation has the following
benefits:
It ensures that Prisma Access only provisions IP addresses
that you have allow listed.
It prevents mobile users from attempting to connect to Prisma
Access from an IP address that is blocked by your organization’s
network. Prisma Access does not release IP addresses to your deployment
until they have been confirmed by you as allow listed.
It provides a way to retrieve your current egress IP addresses
without using the
Prisma Access API.
Prisma Access allocates egress IP addresses in the following
situations:
When you onboard your locations during mobile user onboarding.
Prisma
Access allocates two gateway IP addresses for each location you
onboard.
If you onboard a location, and other locations
in the same compute location are experiencing an autoscale event,
Prisma Access might allocate more than two IP addresses for the
new location. In this situation, be sure that you add all these
IP addresses to your allow lists and confirm all addresses as being Added
to My Allow List.
During a large scaling event.
If the number of mobile
users exceeds the capacity of the two pre-allocated IP addresses,
Prisma Access allocates one more set of two IP addresses.
Autoscale
events affect all the onboarded locations in a
compute location.
When an autoscale event occurs for a location and you have not yet confirmed
the addresses as being added to your allow lists, all locations
in that compute location will show an
Autoscale Status of
Not Allowed.
To keep informed of any IP addresses that Prisma
Access adds as a result of an autoscale event, you can
set up a URL where
Prisma Access will notify you of IP address changes.
You are not required to enable this functionality; you choose
whether or not to let Prisma Access release the IP addresses until
you have confirmed them as being allow listed in the UI.