Pre-Allocate IP Addresses for Prisma Access Mobile User Locations
Learn how to pre-allocate IP addresses so you can add
them to your allow lists.
Prisma Access uses gateway and portal IP addresses
for Mobile Users—GlobalProtect deployments, and authentication cache
service (ACS) and network load balancer IP addresses for Mobile Users—Explicit
Proxy deployments. Mobile Users—GlobalProtect IP addresses are known
egress IP addresses
. If you need to pre-allocate
mobile user IP addresses before you onboard the location (for example,
if your organization needs to add the IP addresses for Mobile Users—GlobalProtect
deployments to allow lists to give mobile users access to external
SaaS applications), you can run an API script to
have Prisma Access pre-allocate these IP addresses for a location
ahead of time, before you onboard it. You can then add the location’s
egress IP addresses to your organization’s allow lists before onboarding
The API response also includes the public IP
subnets for the egress IP addresses for the requested location. The
egress IP addresses of any locations you add are a part of this
subnet. Adding the subnets to your allow lists provides for future
location additions without further allow list modification.
Access does not pre-allocate your IP addresses and subnets unless
you request them using the API script. After you run the pre-allocation
script, they have a validity period of 90 days. The IP addresses
that Palo Alto Networks provides you are unique, not shared, and
dedicated to your Prisma Access deployment during the validity period.
You must onboard your locations before the validity period ends
or you lose the addresses; to find the validity period at any time,
run the API script.
Palo Alto Networks recommends that
you only pre-allocate IP addresses for locations that you want to
To pre-allocate IP addresses, complete
the following task.
the Prisma Access location or
locations where you want to pre-allocate the IP addresses. If you
enter multiple locations, use brackets around the set of locations
and separate each location entry with quotes, a comma, and a space
(for example, [
"location1", "location2", "location3"
and so on).
Enter a maximum of 12 locations. Entering more
than 12 locations might cause timeout errors when Prisma Access
retrieves the pre-allocated IP addresses.
so you can retrieve all required pre-allocated
egress IP addresses to add to your allow lists.
For Mobile Users—GlobalProtect deployments,
while Prisma Access returns up to four addresses for each location
(two gateway IP addresses and, if required, two portal IP addresses),
the API command can return a large amount of information. To make
the output more readable, if you have Python installed, you can
The subnets that Prisma Access has pre-allocated
and reserved for the egress IP addresses in your deployment.
The type of the pre-allocated egress IP address
for a Prisma Access
for a Prisma Access
The remaining time, in days, for which the pre-allocated
IP address is valid.
You must onboard your mobile user location
before the IP addresses’ validity period ends. If the pre-allocated
IP addresses expire, you can rerun the API script to retrieve another set
of pre-allocated IP addresses.
You could receive an error if you attempt to
pre-allocate IP addresses for locations that meet one of the following criteria:
You have already onboarded the location.
You onboarded, then deleted the location.
In this case,
enter the following text in the .txt file to retrieve the Mobile
Users—GlobalProtect IP addresses for the location: