>
    Add a New Compute Location for a Deployed Prisma Access Location
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Access
    4. Prisma Access Advanced Deployments
    5. Advanced Deployments that Apply to All Prisma Access Types
    6. Add a New Compute Location for a Deployed Prisma Access Location
    Download PDF

    Add a New Compute Location for a Deployed Prisma Access Location

    Table of Contents

    Add a New Compute Location for a Deployed Prisma Access Location

    Learn about how IP addresses change and how to use a new compute location for an existing location.
    To optimize performance and improve latency, Prisma Access can introduce new compute locations for locations you have already deployed as part of a plugin upgrade. When you upgrade the plugin, the existing compute location-to-location mapping does not change, but you can choose to take advantage of the new compute location. If you change the compute location, Prisma Access changes the gateway and portal IP addresses (for mobile users) and Service IP addresses (for remote networks and service connections) for the location or locations to which the new compute location is associated. If you use allow lists in your network to provide users access to internet resources such as SaaS applications or publicly accessible partner applications, you need to add these new IP addresses to your allow lists.
    To upgrade to a new compute location after it becomes available, complete the following task.
    Since you need to allow time to delete and add the existing location and change your allow lists (for mobile users) or peer IPSec tunnel IP address (for remote networks and service connections), Palo Alto Networks recommends that you schedule a compute location change during a maintenance window or during off-peak hours.
    To reduce down time for mobile user deployments, use the API to pre-allocate the new mobile user gateway and portal IP addresses before you perform these steps.
    1. (Remote Network deployments only) Add bandwidth for the new remote network compute locations.
      1. (Remote Network deployments that allocate remote network bandwidth by compute locations only) Select PanoramaCloud ServicesConfigurationRemote Networks.
      2. Click the gear icon in the Bandwidth Allocation area and add Bandwidth Allocation (Mbps) for the new compute location.
      3. Wait for the bandwidth to be reflected in the Allocated Total field at the top of the page; then, click OK.
    2. Delete the Service Connection, Remote Network connection, or Mobile User location associated with the new compute location.
      For Mobile User—GlobalProtect deployments, if you have added the location to the Manual Gateway Locations tab, be sure to delete it from there as well as the Locations tab.
    3. Commit and push your changes.
    4. Re-add the locations you just deleted.
    5. Commit and push your changes.
    6. (Mobile User deployments only) Retrieve the new gateway and portal IP addresses using the API script and add them to your allow lists.
    7. (Remote Network and Service Connection deployments only) Change your CPE to point to the new IP addresses for the IPSec tunnel for the remote network connection or service connection.
      For remote network connections, select PanoramaCloud ServicesStatusNetwork DetailsRemote Networks, make a note of the Service IP Address, and configure the new Service IP Address as the peer address for the remote network IPSec tunnel on your CPE.
      For service connections, select PanoramaCloud ServicesStatusNetwork DetailsService Connection, make a note of the Service IP Address, and configure the new Service IP Address as the peer address for the service connection IPSec tunnel on your CPE.
    8. Select PanoramaCloud ServicesStatusNetwork DetailsRemote Networks, make a note of the Service IP Address, and configure the new Service IP Address as the peer address for the remote network IPSec tunnel on your CPE.
      When you delete and re-add a remote network connection, the IP address of the IPSec tunnel on the Prisma Access side changes.

    © 2024 Palo Alto Networks, Inc. All rights reserved.