Plan for IP Address Changes for Mobile Users, Remote Networks, and Service Connections

After you set up your Prisma Access deployment, it is useful to know when IP addresses change so that you can pro-actively plan your infrastructure and add required IP addresses to allow lists accordingly. The IP address changes can be the result of changes you made (for example, adding another mobile users location) or changes that Prisma Access performs automatically (for example, a large number of mobile users accesses a single Prisma Access gateway).
The following sections describe how IP addresses can change:

IP Address Allocation For Mobile Users

After you deploy Prisma Access for users for the first time, Prisma Access adds two sets of for each portal and gateway: one set that is in active use and another set that is reserved for future use. These IP addresses are unique, not shared, and dedicated to your Prisma Access deployment. If you have a multi-tenant setup, Prisma Access adds dedicated IP addresses for each tenant.
Since the public IP address is the source IP address used by Prisma Access for requests made to an internet-based source, you need to know what the public IP address are and add them to an allow list in your network to provide your users access to resources such as SaaS applications or publicly-accessible partner applications.
The public IP addresses can change, and Prisma Access can put the reserved public IP address sets into active use, if the following events occur:
  • A large number of mobile users access a location in the same location.
    When a scaling event occurs, Prisma Access adds one or more gateways to accommodate the increased number of users, assigns one or more of the reserved public IP addresses to the new gateways and makes them active, and adds a new set of reserved IP addresses to the mobile user locations to replace the ones that were used.
  • You add one or more locations to your deployment.
    When you add more locations, Prisma Access adds another gateway and a new set of active and reserved IP addresses for each new location you add.
  • Prisma Access upgrades its infrastructure, usually in conjunction with a new software release and an upgrade to the Cloud Services plugin.
    Prisma Access makes the reserved public IP addresses active, and makes the active public IP addresses reserved.
Because Prisma Access adds more public IP addresses when you add a gateway, and can add more public IP addresses after a scaling event, you should add an IP Change Event Notification URL, or use the API to retrieve mobile user addresses, to be notified of IP address changes in your Prisma Access infrastructure. You can then add any added or changed addresses to an allow list.

Public IP Address Scaling Examples for Mobile Users

The following examples illustrate the mobile user public IP address allocation process that Prisma Access uses during a scaling event or when you add a new location.
In the following example, you specified two locations in the Asia Pacific region for a new mobile user deployment: Sydney and Seoul. Each location has an active and reserved set of public IP addresses. Prisma Access reserves four sets of IP addresses for the gateways: two active and two reserved.
mobile-user-scaling-event-before.png
Then a large number of users log in to the Seoul location. To accommodate these extra users, Prisma Access adds a second gateway for the Seoul location and takes the reserved address from the first Seoul gateway (51.1.1.4) and makes this the active IP address for the second Seoul gateway. It then adds two additional IP addresses (51.1.1.5 and 51.1.1.6 in this example) to use as reserved IP addresses for the two Seoul gateways.
mobile-user-scaling-event-after.png
Then you add another location, Tokyo, in the Asia Pacific region. Prisma Access creates two new IP addresses for the new gateway (51.1.1.7 and 51.1.1.8).
mobile-user-scaling-event-after-gateway-addition.png
Each time you add a location or have a scaling event, you should Retrieve Public and Egress IP Addresses for Mobile User Deployments that Prisma Access assigned and add them to an allow list in your network. Prisma Access keeps two sets of IP addresses at all times for all active gateways in each location.

Mobile User Public IP Address Reassignment Example After an Infrastructure Upgrade

When Prisma Access upgrades its infrastructure, usually to prepare for a software upgrade for the Cloud Services plugin, it changes the public IP addresses from active to reserved and vice versa. The following example illustrates the process.
Subscribe to text or email notices for upcoming scheduled infrastructure upgrades at status.paloaltonetworks.com.
The following graphic shows a sample deployment with three Prisma Access portals, three locations (Sydney, Tokyo, and Seoul), and an active and reserved public IP address for each portal and location.
mobile-user-infra-upgrade-before.png
After an infrastructure upgrade, Prisma Access reverses the public IP addresses for each portal and location. In this example, the Sydney location’s active public IP address changes from 51.1.1.1 to 51.1.1.2 and its reserved public IP address changes from 51.1.1.2 to 51.1.1.1. Adding both the active and reserved public IP addresses to allow lists ensures that users can still access the Prisma Access portals and gateways after an infrastructure upgrade.
mobile-user-infra-upgrade-after.png

IP Address Changes For Remote Network Connections

IP addresses for remote network connections are unique, not shared, and dedicated to your Prisma Access deployment. These IP addresses do not change after Prisma Access creates them as part of remote network onboarding, and the IP addresses persist after an upgrade. However, take care when increasing the bandwidth of an existing connection, because the IP address of a remote network can change if that increase causes the bandwidth in a location to exceed 300 Mbps.
In addition, egress IP addresses can change if Prisma Access creates a new compute region and you decide to use this new compute region with locations you have already onboarded. See Remote Network Egress IP Allocation Changes After a Compute Region Change for details.
These bandwidth guidelines apply only when you upgrade an existing connection. A single remote network connection, even a 500 Mbps (w/o SSL Decryption) or 1000 Mbps (Preview) connection, always receives a single
Service IP Address
, regardless of its size.
The 1000 Mbps bandwidth option is in preview mode. The throughput during preview is delivered on a best-effort basis and the actual performance will vary depending upon the traffic mix. The 500 Mbps option supports SSL decryption, but Palo Alto Networks does not guarantee 500 Mbps of throughput if it is enabled.
The following example shows three remote network connections in the same location, each with a bandwidth of 100 Mbps. Since the total bandwidth is 300 Mbps, Prisma Access assigns a single IP address for all connections in the location.
service-ip-address-before.png
The following example shows the bandwidth of remote network connection A being increased from 100 Mbps to 150 Mbps. Since the total bandwidth of all connections is now more than 300 Mbps, Prisma Access assigns a new service IP address for the connection with the additional bandwidth. The other service IP addresses remain unchanged.
service-ip-address-after.png
Conversely, given five remote networks with a bandwidth of 50 Mbps, if you increase the bandwidth of one of the remote networks to 100 Mbps, the Service IP address of that remote network does not change because the total bandwidth is now 300 Mbps.
If you reduce the bandwidth of a remote network connection, the Service IP address does not change.
To find the service IP addresses in Panorama, select
Panorama
Cloud Services
Status
Network Details
tab and click the
Remote Networks
radio button to display the
Service IP Address
for the remote networks, or use the API script.

Remote Network Egress IP Allocation Changes After a Compute Region Change

To optimize performance and improve latency, Prisma Access can introduce new compute regions for existing remote network locations as part of a plugin upgrade. When you upgrade the plugin, you can choose to take advantage of the new compute region. If you change the compute region, Prisma Access changes the egress IP addresses for the location or locations to which the new compute region is associated. If you use allow lists in your network to provide users at remote network locations access to internet resources such as SaaS applications or publicly accessible partner applications, you need to add these new egress IP addresses to your allow lists.
To upgrade to a new compute region after it becomes available, complete the following task.
Since the new compute region will have new egress IP addresses, Palo Alto Networks recommends that you schedule a compute region change during a maintenance window or during off-peak hours.
  1. Delete the remote network location or locations associated with the new compute region.
  2. Commit and push your changes.
  3. Re-add the locations you just deleted.
  4. Commit and push your changes.
  5. Retrieve the new egress IP addresses for the remote network locations using the API script.
  6. Make a note of the new egress IP addresses and add them to your allow lists.

Loopback IP Address Allocation for Mobile Users

Loopback IP addresses can change during for mobile users during an infrastructure upgrade.
Loopback IP addresses do not change for service connections or remote network connections during an infrastructure upgrade; only mobile user loopback IP addresses can change.
Prisma Access allocates the loopback IP addresses from the infrastructure subnet that you specify when you enable the Prisma Access infrastructure. You can add the entire infrastructure subnet to an allow list and avoid planning for mobile user loopback IP changes during an infrastructure upgrade. To find the infrastructure subnet, select
Panorama
Cloud Services
Status
Network Details
Service Infrastructure
and view the
Infrastructure Subnet
.
Retrieve these addresses using the Retrieve Public, Loopback, and Egress IP Addresses used to retrieve public IP and loopback IP addresses.
The following example shows a Prisma Access deployment that has an infrastructure subnet of 172.16.0.0/16. Prisma Access has assigned loopback IP addresses 172.16.0.1 and 192.16.0.3 for mobile users from the infrastructure subnet.
service-connection-loopback-ips-before.png
After in infrastructure upgrade (for example, to prepare for a new release of the Cloud Services plugin), Prisma Access assigns two different IP addresses for mobile users from the infrastructure subnet (172.16.0.1 is changed to 172.16.0.2 and 172.16.0.3 is changed to 172.16.0.4).
service-connection-loopback-ips-after.png

Recommended For You