Display Mobile User IP Addresses for SaaS Application Allowlists

Enable Prisma Access to display the egress IP addresses for Prisma Access traffic.
Enable Prisma Access to display the egress IP addresses for Prisma Access traffic. Use these IP addresses in the IP allow lists for your SaaS applications, where you’re restricting usage to authorized users or sources.

Enable Egress IP Allowlists for Mobile Users

You can enable the egress IP allowlists for existing mobile users deployment and during new user onboarding. If you enable egress IP allowlists for existing Prisma Access deployments, Prisma Access migrates all the egress IP addresses already allocated for your locations to the egress IP allowlists. For new Prisma deployments, enable the egress IP allowlist while onboarding the Global Protect mobile users. Every time you add a location or have an auto-scaling event, you should retrieve the new egress IP addresses that Prisma Access allocates and add them to allowlists in your SaaS applications. You can then push the configuration to your Prisma Access deployment to confirm the egress IP allowlists allocated for your locations.
  1. Go to
    Manage
    Service Setup
    Mobile Users
    .
  2. Display the IP addresses for Prisma Access locations.
    1. Enable
      Egress IP Allowlist to display the IP addresses for onboarded Prisma Access locations.
    2. Copy and add the allocated IP addresses to the allowlists of your SaaS applications.
    3. Migrate
      to confirm the IP addresses allocated for the onboarded locations in Prisma Access.
  3. Retrieve the IP addresses for new onboarded location or during an auto-scaling event.
    1. Select the
      Location
      name to find the new egress IP addresses allocated to the location.
    2. Add these IP addresses to the allowlists for your Saas applications before you confirm them in Prisma Access.
  4. Push your changes to Prisma Access.

Statuses of Allocated Egress IP Addresses

The status column in the Egress IP Allowlists indicates if all the allocated IP addresses for the locations are provisioned for your deployment. Read on to learn about each status.
  • Provisioned
    - You have added the egress IP addresses to the allowlists of your SaaS applications, confirmed the IP addresses in Prisma Access, and pushed your changes to make them fully provisioned.
  • Partially Provisioned
    - You have added the first set of egress IP addresses, confirmed them in the Prisma Access, and pushed your changes. However, Prisma Access has added another set of IP addresses as part of an auto-scale event, and those IP addresses are not confirmed in Prisma Access.
  • Not Provisioned
    - Prisma Access has allocated IP addresses for the location, and you have added the egress IP addresses to the allowlists of your SaaS applications and confirmed them in Prisma Access, but you have not yet onboarded this location.
  • Cannot be Provisioned
    - You have onboarded this location, but have not yet confirmed in Prisma Access and pushed your changes.
The Egress IP Allowlists table also indicates the number of IP addresses that are confirmed and yet to be confirmed in Prisma Access. For example, 1/2 means, 1 out of 2 IP addresses allocated for the location is confirmed in Prisma Access.

Recommended For You