Prisma Access
Allow Listing GlobalProtect Mobile Users
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Allow Listing GlobalProtect Mobile Users
Learn how to enable the egress IP allowlists for existing mobile users.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Learn how to enable the egress IP allowlists for existing mobile
users.
To enable you to add the public (egress) IP addresses for your GlobalProtect—Mobile User
deployment to any SaaS application allow lists you use within your organization, Prisma
Access provides the IP addresses and lets you verify that you have added them to your
allow list before using them in your environment. If you enable egress IP allowlists for
existing
Prisma Access
deployments, Prisma Access
migrates all the egress IP addresses
already allocated for your locations to the egress IP allowlists. For new Prisma
deployments, enable the egress IP allowlist while onboarding the Global Protect mobile
users. After you have added the egress IP addresses to your organization’s allow
lists, you return to the
Prisma Access
UI, confirm the GlobalProtect egress IP addresses
as being allow listed, and Push
your changes. Prisma Access
then
releases these egress IP addresses and adds them to your deployment. If Prisma Access
adds more IP addresses after initial configuration as a result of an autoscale event,
you confirm the new egress IP addresses as having been added before Prisma Access
adds
them to your deployment.Once enabled, the Egress IP Allowlists table provides information on the IP addresses
that are confirmed or yet to be confirmed, as well as their provision status.
Cloud Management
Cloud Management
Learn how to enable the egress IP allowlists for existing cloud managed mobile
users.
Enable
Prisma Access
to display the egress
IP addresses for Prisma Access
traffic. Use these IP addresses in
the IP allow lists for your SaaS applications, where you’re restricting
usage to authorized users or sources.- Go to.ManageService SetupMobile UsersIf you're using Strata Cloud Manager, go toand editWorkflowsPrisma AccessSetupGlobalProtectInfrastructuresettings.Prisma AccessLocations
- Display the IP addresses forPrisma Accesslocations.
- EnableEgress IP Allowlist to display the IP addresses for onboardedPrisma Accesslocations.
- Copy and add the allocated IP addresses to the allowlists of your SaaS applications.
- Migrateto confirm the IP addresses allocated for the onboarded locations inPrisma Access.
- Retrieve the IP addresses for new onboarded location or during an auto-scaling event.
- Select theLocationname to find the new egress IP addresses allocated to the location.
- Add these IP addresses to the allowlists for your Saas applications before you confirm them inPrisma Access.
- Push your changes toPrisma Access.
Statuses of Allocated Egress IP Addresses
The status column in the Egress IP Allowlists
indicates if all the allocated IP addresses for the locations are
provisioned for your deployment. Read on to learn about each status.
- Provisioned- You have added the egress IP addresses to the allowlists of your SaaS applications, confirmed the IP addresses inPrisma Access, and pushed your changes to make them fully provisioned.
- Partially Provisioned- You have added the first set of egress IP addresses, confirmed them in thePrisma Access, and pushed your changes. However,Prisma Accesshas added another set of IP addresses as part of an auto-scale event, and those IP addresses are not confirmed inPrisma Access.
- Not Provisioned-Prisma Accesshas allocated IP addresses for the location, and you have added the egress IP addresses to the allowlists of your SaaS applications and confirmed them inPrisma Access, but you have not yet onboarded this location.
- Cannot be Provisioned- You have onboarded this location, but have not yet confirmed inPrisma Accessand pushed your changes.
The Egress IP Allowlists table also indicates the number
of IP addresses that are confirmed and yet to be confirmed in Prisma
Access. For example, 1/2 means, 1 out of 2 IP addresses allocated
for the location is confirmed in
Prisma Access
. Panorama
Panorama
Learn how to enable the egress IP allowlists for existing Panorama managed mobile
users.
To enable you to add the public (egress) IP addresses
for your GlobalProtect—Mobile User deployment to any SaaS application allow lists
you use within your organization,
Prisma Access
provides the IP addresses and lets
you verify that you have added them to your allow list before using them in your
environment.This method of egress IP address
allocation has the following benefits:
- It ensures thatPrisma Accessonly provisions IP addresses that you have allow listed.
- It prevents mobile users from attempting to connect to Prisma Access from an IP address that is blocked by your organization’s network.Prisma Accessdoes not release IP addresses to your deployment until they have been confirmed by you as allow listed.
- It provides a way to retrieve your current egress IP addresses without using the Prisma Access API.
Prisma
Access allocates egress IP addresses in the following situations:
- When you onboard your locations during mobile user onboarding.Prisma Access allocates two gateway IP addresses for each location you onboard.If you onboard a location, and other locations in the same compute location are experiencing an autoscale event,Prisma Accessmight allocate more than two IP addresses for the new location. In this situation, be sure that you add all these IP addresses to your allow lists and confirm all addresses as beingAdded to My Allow List.
- During a large scaling event.If the number of mobile users exceeds the capacity of the two pre-allocated IP addresses,Prisma Accessallocates one more set of two IP addresses.Autoscale events affect all the onboarded locations in a compute location. When an autoscale event occurs for a location and you have not yet confirmed the addresses as being added to your allow lists, all locations in that compute location will show anAutoscale StatusofNot Allowed.Autoscale Statusshows the status of the autoscaling in Prisma Access.
- Allowed—You have added IP addresses to the allow lists. If a large number of mobile users log in to a single location and trigger an autoscale event,Prisma Accesswill use the allow listed IP addresses for the autoscale event.
- Not Allowed—You have not specified all IP addresses as being added to your allow lists in the Prisma Access UI, or you have not committed and pushed your changes after marking them as added. IfPrisma Accesstriggers an autoscale event,Prisma Accesswill not provision more IP addresses to add more capacity for the location.Every time that you add a location, or every time thatPrisma Accessadds IP addresses as a result of an autoscale event, you need to refresh the page that contains theEgress IP Allow Listtable, specifyAdded to My Allow Listto mark the IP addresses as being added to your organization’s allow lists, andCommit and Pushyour changes.
To keep informed of any IP addresses thatPrisma Accessadds as a result of an autoscale event, you can set up a URL wherePrisma Accesswill notify you of IP address changes.
You
are not required to enable this functionality; you choose whether
or not to let
Prisma Access
release the IP addresses until you have
confirmed them as being allow listed in the UI.To prevent
Prisma Access
from provisioning public (egress) GlobalProtect
IP addresses to your deployment until you have added them to your allow lists,
specify Yes
in the Using IP Allow List in SaaS
Apps
setting during Mobile Users—GlobalProtect onboarding. Confirm
that you have added them in the Prisma Access
UI by completing the following
task.- Select.PanoramaCloud ServicesConfigurationMobile Users—GlobalProtect
- Select yourHostnameandConfigureit (for an existing deployment), orConfigureyour deployment for the first time (for a new deployment).
- SpecifyUsing IP Allow List in SaaS AppsasYes.
- Continue yourPrisma Accessonboarding, including selecting the locations to use in your Mobile Users—GlobalProtect deployment, andCommit and Pushyour changes.It might take up to a minute for the changes to be reflected in the UI. If you view theEgress IP Allow Listbefore committing and pushing your changes, it shows a status of0/0 Egress IPs Confirmed Allow Listed, becausePrisma Accesshas not assigned any egress IP addresses to your deployment.
- View theEgress IP Allow Listtable, and make a note of the egress IP addresses that need to be added to your allow lists.You can view the egress IP addresses in theConfirmed Allow Listed Egress IPs / Allocatedfield of theEgress IP Allow Listtable. The first number indicates whether or not the IP address has been confirmed as being added to your allow lists.The following example shows the IP addresses for the US Northeast location. The description of0/2 Egress IPs Confirmed Allow Listedindicates that 0 of the two egress IP addresses have been marked as being added to your allow lists, and you need to add them.If you have a newPrisma Accessdeployment, or if you have added locations or had an autoscale event, the table shows that none of the egress IP addresses have been added to your organization’s allow list.If you have an existingPrisma Accessdeployment, the table shows aProvisioning StatusofProvisionedand anAutoscale StatusofAllowed, which indicates thatPrisma Accessmarked the egress IP addresses as added.Prisma Accesswill allocate two addresses for each newly-added location. If an existing location has previously had an autoscale event when a large number of mobile users logged in to a single location at the same time,Prisma Accessallocates additional egress IP address in multiples of two, and an existing location could have four or more addresses.
- Find the new egress IP addresses that need to be added to your organization’s allow lists by selecting theLocationname in the table.
- Add these egress IP addresses to your organization’s allow lists.
- After you have allow listed the egress IP address, return to the egress IP area and indicate that you have added them to your allow lists by selectingAdded to My Allow List.
- Commit and push your changes to make them active inPrisma Access.
- SelectandCommitCommit and PushEdit Selectionsin the Push Scope.
- Select, then make sure thatPrisma AccessMobile Usersis selected.
- ClickOKto save your changes to the Push Scope.
- CommitandPushyour changes.
If you view theEgress IP Allow Listtable before committing and pushing your changes, the Confirmed column shows a status of0/0 Egress IPs Confirmed Allow ListedbecausePrisma Accesshas not assigned any IP addresses to your deployment until youCommit and Push.TheEgress IP Allow Listtable contains the following additional fields:FieldDescriptionLocationThe onboarded mobile user location.Confirmed Allow Listed Egress IPs / AllocatedThe number of egress IP addresses that have been confirmed as being allow listed, and the number of egress IP addresses that have been allocated.Provisioning StatusThe allow listing status of the egress IP addresses.- Provisioned—You have added the egress IP addresses to your organization’s allow lists, have confirmed them as having been added in thePrisma AccessUI by checkingAdded to My Allow List, and have committed and pushed your changes to make them fully provisioned.
- Not Provisioned—Prisma Access has allocated IP addresses for the location, and you have added the egress IP addresses to your organization’s allow lists and confirmed them as having been added in the Prisma Access UI, but you have not yet onboarded this location.
- Cannot Be Provisioned—You have onboarded this location, but have not yet checkedAdd to My Allow Listand committed and pushed your changes.Until you specify inPrisma Accessthat you have added these egress IPs to your organization’s allow lists andCommit and Pushyour changes,Prisma Accesswill not provision these IP addresses to your deployment.
- Provisioned with partial capacity—You have added the first set of egress IP addresses, have confirmed them as having been added in thePrisma AccessUI, and have Committed and Pushed your changes. However,Prisma Accesshas added another set of IP addresses as part of an autoscale event, and those IP addresses have not been specified as added to your allow lists in thePrisma AccessUI.The following screenshot shows an example of a deployment that would be marked asProvisioned with partial capacity. Two IP addresses have been marked asAdded to My Allow List; however,Prisma Accesshas added two more IP addresses to this location, and those locations have not been added in the UI.
Autoscale StatusShows the status of the autoscaling inPrisma Access.- Allowed—You have added IP addresses to the allow lists. If a large number of mobile users log in to a single location and trigger an autoscale event,Prisma Accesswill use the allow listed IP addresses for the autoscale event.
- Not Allowed—You have not specified all IP addresses as being added to your allow lists in thePrisma AccessUI, or you have not committed and pushed your changes after marking them as added. IfPrisma Accesstriggers an autoscale event,Prisma Accesswill not provision more IP addresses to add more capacity for the location.Every time that you add a location, or every time thatPrisma Accessadds IP addresses as a result of an autoscale event, you need to refresh the page that contains theEgress IP Allow Listtable, specifyAdded to My Allow Listto mark the IP addresses as being added to your organization’s allow lists, andCommit and Pushyour changes.
To keep informed of any IP addresses that Prisma Access adds as a result of an autoscale event, you should set up a URL wherePrisma Accesswill notify you of IP address changes.TimestampThe last known time when an IP was allocated for this region in Coordinated Universal Time (UTC).After youCommit and Push, the Confirmed column will show a status of0/2 Egress IPs Confirmed Allow Listed, because you have not yet confirmed the IP addresses as having been allow listed in thePrisma AccessUI.
When you onboard a mobile user location,
Prisma Access
provides you with
two egress IP addresses - one active IP address and one address to use in case of an
autoscale event. The following
provides examples of how Prisma Access
allocates and provisions egress IP addresses
after an autoscale event.Autoscale Event
—If a large number of mobile users log in to a mobile user
location at the same time, that event might cause Prisma Access
to allocate an
additional set of two egress IP addresses to accommodate the large number of users.
After you have allow listed the first two egress IP addresses, the status before an
autoscale event shows the two egress IP addresses as being allow listed with a
confirmed status of 2/2 Egress IPs Confirmed Allow Listed
, a
provisioning status of Provisioned
, and an autoscale status
of Allowed
, as shown in the Hong Kong location in the
following screenshot.If a large number of mobile users log in to the Hong Kong location at the same time,
Prisma Access
makes the backup egress IP address active and allocates two more IP
addresses and makes one of them active. When an autoscale event occurs,
the egress IP addresses have been allocated but not provisioned, the confirmed
status is 2/4 Egress IPs Confirmed Allow Listed
, and the
provisioning status shows Provisioned without enough
capacity
. In addition, the autoscale status shows Not
Allowed
, which means that Prisma Access
will not provision the extra
egress IP address to your deployment if an autoscale event occurs. After you have added the new egress IP addresses to your allow lists, select the
location name; then, select
Added to My Allow List
for the
two IP addresses that were added and Commit and Push
your
changes. When complete, the Hong Kong location shows that all four egress IP addresses are
confirmed and provisioned, and autoscaling is active.