Manage Allow Listing for New Prisma Access Deployments
Focus
Focus

Manage Allow Listing for New Prisma Access Deployments

Table of Contents

Manage Allow Listing for New Prisma Access Deployments

How to manage allow listing for a new Prisma Access deployment.
To prevent Prisma Access from provisioning public (egress) GlobalProtect IP addresses to your deployment until you have added them to your allow lists, specify
Yes
in the
Using IP Allow List in SaaS Apps
setting during Mobile Users—GlobalProtect onboarding. Confirm that you have added them in the Prisma Access UI by completing the following task.
  1. Select
    Panorama
    Cloud Services
    Configuration
    Mobile Users—GlobalProtect
    .
  2. Select your
    Hostname
    and
    Configure
    it (for an existing deployment), or
    Configure
    your deployment for the first time (for a new deployment).
  3. Specify
    Using IP Allow List in SaaS Apps
    as
    Yes
    .
  4. Continue your Prisma Access onboarding, including selecting the locations to use in your Mobile Users—GlobalProtect deployment, and
    Commit and Push
    your changes.
    It might take up to a minute for the changes to be reflected in the UI. If you view the
    Egress IP Allow List
    before committing and pushing your changes, it shows a status of
    0/0 Egress IPs Confirmed Allow Listed
    , because Prisma Access has not assigned any egress IP addresses to your deployment.
  5. View the
    Egress IP Allow List
    table, and make a note of the egress IP addresses that need to be added to your allow lists.
    You can view the egress IP addresses in the
    Confirmed Allow Listed Egress IPs / Allocated
    field of the
    Egress IP Allow List
    table. The first number indicates whether or not the IP address has been confirmed as being added to your allow lists. For a description of the other fields in this table, see Fields in the Egress IP Allow List table.
    The following example shows the IP addresses for the US Northeast location. The description of
    0/2 Egress IPs Confirmed Allow Listed
    indicates that 0 of the two egress IP addresses have been marked as being added to your allow lists, and you need to add them.
    If you have a new Prisma Access deployment, or if you have added locations or had an autoscale event, the table shows that none of the egress IP addresses have been added to your organization’s allow list.
    If you have an existing Prisma Access deployment, the table shows a
    Provisioning Status
    of
    Provisioned
    and an
    Autoscale Status
    of
    Allowed
    , which indicates that Prisma Access marked the egress IP addresses as added.
    Prisma Access will allocate two addresses for each newly-added location. If an existing location has previously had an autoscale event when a large number of mobile users logged in to a single location at the same time, Prisma Access allocates additional egress IP address in multiples of two, and an existing location could have four or more addresses.
  6. Find the new egress IP addresses that need to be added to your organization’s allow lists by selecting the
    Location
    name in the table.
  7. Add these egress IP addresses to your organization’s allow lists.
  8. After you have allow listed the egress IP address, return to the egress IP area and indicate that you have added them to your allow lists by selecting
    Added to My Allow List
    .
  9. Commit and push your changes to make them active in Prisma Access.
    1. Select
      Commit
      Commit and Push
      and
      Edit Selections
      in the Push Scope.
    2. Select
      Prisma Access
      , then make sure that
      Mobile Users
      is selected.
    3. Click
      OK
      to save your changes to the Push Scope.
    4. Commit
      and
      Push
      your changes.
    If you view the
    Egress IP Allow List
    table before committing and pushing your changes, the Confirmed column shows a status of
    0/0 Egress IPs Confirmed Allow Listed
    because Prisma Access has not assigned any IP addresses to your deployment until you
    Commit and Push
    .
    After you
    Commit and Push
    , the Confirmed column will show a status of
    0/2 Egress IPs Confirmed Allow Listed
    , because you have not yet confirmed the IP addresses as having been allow listed in the Prisma Access UI.

Recommended For You