Specify IP Address Pools for Mobile Users

You need to make sure that you have specified an IP address pool that allows enough coverage for the mobile users in your organization. We recommend having at least one IP address in your IP address pool for each unique mobile user in your organization so they can log in simultaneously. If your pool space is limited, however, you can specify a smaller address pool.
In Panorama, the UI validates the minimum IP address pool and prompts you if changes are required. This validation is not available if you configure locations using CLI. If you deploy all locations using CLI, we recommend that you add a /18 address in the Worldwide pool for mobile users.
Prisma Access checks your configuration to make sure that you have specified the following minimum IP address pool:
  • If you specify a Worldwide address pool, a minimum of /23 (512 IP addresses) is required if you have locations deployed in one or two regions. If you have locations in three regions, a minimum /19 (8,192) addresses is required.
    You can divide up your total subnets into smaller subnets; the minimum subnet you can specify is /23.
  • If you specify IP address pools per region, a minimum of 512 IP addresses (/23 address pool) is required for each region where you have locations deployed.
    If you do not onboard any Prisma Access gateways in a region, an IP address pool for that region is not required. For example, if you specify gateways in the US East, US Northwest, and US Northeast locations, you need to only specify an IP address pool for the North America & South America region.
  • If you specify a mix of Worldwide and regional pools, specify IP address pools to ensure that there are at least 512 IP addresses per region.
    For example, for a three-region deployment, you can specify 1,024 addresses in the Europe region and 512 addresses Worldwide.
    A warning message displays if you specify an IP address pool that is less than the total number of licensed mobile users. If you determine that your deployment will not have all mobile users log in concurrently, you can bypass this message and keep this configuration.

Related Documentation