IP Address Pools for a GlobalProtect Mobile Users Deployment
Learn how to allocate IP address pools in the Prisma Access Mobile Users—GlobalProtect
deployment.
| Where Can I Use
This? | What Do I Need? |
|---|
Make sure that you have specified an IP address pool that allows
enough coverage for the mobile users in your organization. It is
important to remember that each unique user can use multiple devices
to connect to
Prisma Access at the same time, and each connected
device requires a unique IP address from the pool. The addresses
in this pool must not overlap with other address pools you use internally
or with the IP subnet you assign when you
Enable
the Service Infrastructure.
We recommend that the number of IP addresses in the pool is 2
times the number of mobile user devices that will connect to Prisma
Access. If your organization has a bring your own device (BYOD)
policy, or if a single user has multiple user accounts, make sure
that you take those extra devices and accounts into consideration
when you allocate your IP pools. If your pool space is limited,
you can specify a smaller address pool; however, if your IP address
pool reaches its limit, additional mobile user devices will not
be able to connect.
The UI validates that you enter valid IP subnets (for example,
if you enter a pool with a subnet of less than /23, it will prompt
you to change it). However, it does not check to ensure that you
have allocated sufficient IP addresses for your deployment.
This validation is not available if you configure locations
using CLI. If you deploy all locations using CLI, we recommend that
you add a /18 address in the Worldwide pool for mobile users.
Prisma Access checks your configuration to make sure that you
have specified the following minimum IP address pool:
A minimum of /23 (512 IP addresses) is required for either
a Worldwide or regional address pool.
- If an existing location is converted to a compute location, that location requires a
minimum /23 subnet after the conversion.
If you do not onboard any Prisma Access gateways in a region,
an IP address pool for that region is not required. For example,
if you specify gateways in the US East, US Northwest, and US Northeast
locations, you need to only specify an IP address pool for the North
America & South America region. Conversely, if you enable mobile
user locations in Europe without specifying either a Worldwide address
pool or an IP address pool in Africa, Europe, & Middle East,
your deployment will fail.
GlobalProtect mobile users consume the IP addresses in the
location group first, then theater-specific IP addresses, then Worldwide
IP addresses. For example, if you specify a pool for a location
group and Worldwide, and you then exhaust the available IP addresses
in the location group pool, Prisma Access then takes IP addresses
from the Worldwide pool to use in that location
group.
If you specify more than one block of IP address pools,
Prisma Access uses the pools in the order that you entered them
during
mobile user setup.
