Enable Mobile Users to Access Corporate Resources
Enable your Prisma Access mobile users to access internal
resources at your HQ or in you data center.
To enable Prisma Access for users to enable
internet access only you do not need to set up any networking services
because Prisma Access provides a default IP address pool and a cloud
default DNS server.
However, if you want your mobile users
to be able to access internal resources at your headquarters, data
centers, or at remote network sites you have onboarded to Prisma
Access, you will need to:
- define the IP address pools Prisma Accesses uses to assign IP addresses to your mobile users,
- set up the Prisma Access service infrastructure,
- and, to allow access to your headquarters or data centers, onboard service connections.
If you want your mobile
users to connect to remote network sites, you must configure at
least one service connection, even if you do not plan on using the connection
to provide access to your data center or HQ locations. Though all branches
are fully meshed, mobile user connections are not. Creating a service connection
establishes the hub-and-spoke architecture required to enable mobile user
traffic to route to your branch networks. In this case, you can
minimally configure the service connection as follows:
- When you onboard the service connection use a Prisma Access location that is close to your mobile users.
- When you set up the primary IPSec tunnel for the service connection, configure the IPSec peer authentication and tunnel settings using placeholder values.
- When you enable routing and QoS for the service connection,add placeholder IP subnets.Because Prisma Access does not route any traffic through this tunnel, just make sure the IP subnet you use doesn’t conflict or overlap with other configured subnets connected to Prisma Access.
- Go to and editInfrastructure Settingsto adjust the network settings for mobile users.
- Review or adjust theClient IP Poolthat Prisma Access uses to assign IP addresses to mobile users.
- By default, aWorldwideIP pool is available for all mobile users.
- You canCustomize per regionto use a set up IP pools dedicated to regions or locations. For regions or locations that you do not specify an IP pool, Prisma Access uses the worldwide IP pool.
The IP address pools you define must meet the following requirements:- As a best practice, define RFC 1918-compliant IP address pools to prevent IP address conflicts.
- Make sure the IP address pools you define do not overlap with other IP addresses you use internally.
- Make sure the IP address pools you define do not overlap with the infrastructure IP address pool you are using for Prisma Access.
- Do not specify any subnets that overlap with 169.254.169.253, 169.254.169.254, and the 100.64.0.0/10 subnet range because Prisma Access reserves those IP addresses and subnets for its internal use.
- Make sure you designate an IP address pool that allows enough coverage for all mobile users in your organization, based on the following guidelines:
- If you plan to use a Worldwide address pool deployed in one or two regions the minimum required IP address pool is /23 (512 IP address).
- If you plan to use a Worldwide address pool deployed in three or more regions the minimum required IP address pool is /19 (8,192 IP addresses), either in a single IP address pool or spread across multiple pools.
- If you plan to define IP address pools per region, the minimum pool size in any region is /23 (512 IP addresses).
- You do not need to assign an IP address pool in regions where you do not plan to deploy Prisma Access. For example, select the US East (N. Virginia), US East (Ohio), and US West (N. California), regions only when you onboard Prisma Access for users, you need to specify an IP address pool for the Americas region only. Keep in mind, however, that users in other regions will not be able to connect to Prisma Access.
- If you plan to define a mix of Worldwide and regional pools, make sure you allocate at least 512 IP addresses per region. For example, for a three-region deployment, you can specify 1,024 addresses in the Europe region and 512 addresses Worldwide.
- As a best practice, designate IP address pools so that you have at least one IP address for each unique mobile user in your organization so they can log in simultaneously. If you designate an IP address pool that has a smaller number of IP addresses than your licensed number of users, Prisma Access will display a warning message. However, if you have a limited IP address pool and you do not expect all users to log in concurrently you can bypass the message and use a smaller pool size.
- AddClient DNSsettings—you can use theWorldwidedefault or customize settings based on region.Select the region for which you want to customize DNS settings:
Check the option to use these DNS settings toResolve internal domainsand optionallyUse the internal DNS Server for resolving public domains too. If you don’t select this option, Prisma Access uses its cloud default DNS serves to resolve requests for public domains.The DNS proxy in Prisma Access sends the requests to the DNS servers you specify. The source address in the DNS request is the first IP address in the IP pool you assign to the region. To ensure that your DNS requests can reach the servers you will need to make sure that you allow traffic from all addresses in your mobile user IP address pool to your DNS servers. - If you want your mobile users to be able to access resources on your HQ or data center networks or at other branch locations, you must configure the Prisma Access Infrastructure Settings to enable the network backbone.Go to and edit theInfrastructure Settings.
- To enable mobile users to access resources on your HQ or data centers, create service connections to connect these sites to Prisma Access.Go to .
- When you’re ready,Push Configto Prisma Access to save your mobile user settings.
