Manage Allow Listing for New Prisma Access Deployments
Focus
Focus

Manage Allow Listing for New Prisma Access Deployments

Table of Contents

Manage Allow Listing for New Prisma Access Deployments

How to manage allow listing for a new Prisma Access deployment.
To prevent Prisma Access from provisioning public (egress) GlobalProtect IP addresses to your deployment until you have added them to your allow lists, specify Yes in the Using IP Allow List in SaaS Apps setting during Mobile Users—GlobalProtect onboarding. Confirm that you have added them in the Prisma Access UI by completing the following task.
  1. Select PanoramaCloud ServicesConfigurationMobile Users—GlobalProtect.
  2. Select your Hostname and Configure it (for an existing deployment), or Configure your deployment for the first time (for a new deployment).
  3. Specify Using IP Allow List in SaaS Apps as Yes.
  4. Continue your Prisma Access onboarding, including selecting the locations to use in your Mobile Users—GlobalProtect deployment, and Commit and Push your changes.
    It might take up to a minute for the changes to be reflected in the UI. If you view the Egress IP Allow List before committing and pushing your changes, it shows a status of 0/0 Egress IPs Confirmed Allow Listed, because Prisma Access has not assigned any egress IP addresses to your deployment.
  5. View the Egress IP Allow List table, and make a note of the egress IP addresses that need to be added to your allow lists.
    You can view the egress IP addresses in the Confirmed Allow Listed Egress IPs / Allocated field of the Egress IP Allow List table. The first number indicates whether or not the IP address has been confirmed as being added to your allow lists. For a description of the other fields in this table, see Fields in the Egress IP Allow List table.
    The following example shows the IP addresses for the US Northeast location. The description of 0/2 Egress IPs Confirmed Allow Listed indicates that 0 of the two egress IP addresses have been marked as being added to your allow lists, and you need to add them.
    If you have a new Prisma Access deployment, or if you have added locations or had an autoscale event, the table shows that none of the egress IP addresses have been added to your organization’s allow list.
    If you have an existing Prisma Access deployment, the table shows a Provisioning Status of Provisioned and an Autoscale Status of Allowed, which indicates that Prisma Access marked the egress IP addresses as added.
    Prisma Access will allocate two addresses for each newly-added location. If an existing location has previously had an autoscale event when a large number of mobile users logged in to a single location at the same time, Prisma Access allocates additional egress IP address in multiples of two, and an existing location could have four or more addresses.
  6. Find the new egress IP addresses that need to be added to your organization’s allow lists by selecting the Location name in the table.
  7. Add these egress IP addresses to your organization’s allow lists.
  8. After you have allow listed the egress IP address, return to the egress IP area and indicate that you have added them to your allow lists by selecting Added to My Allow List.
  9. Commit and push your changes to make them active in Prisma Access.
    1. Select CommitCommit and Push and Edit Selections in the Push Scope.
    2. Select Prisma Access, then make sure that Mobile Users is selected.
    3. Click OK to save your changes to the Push Scope.
    4. Commit and Push your changes.
    If you view the Egress IP Allow List table before committing and pushing your changes, the Confirmed column shows a status of 0/0 Egress IPs Confirmed Allow Listed because Prisma Access has not assigned any IP addresses to your deployment until you Commit and Push.
    After you Commit and Push, the Confirmed column will show a status of 0/2 Egress IPs Confirmed Allow Listed, because you have not yet confirmed the IP addresses as having been allow listed in the Prisma Access UI.