Palo Alto Networks Knowledgebase: GlobalProtect Cloud Service: Egress IP Control
GlobalProtect Cloud Service: Egress IP Control
Created On 07/17/19 21:11 PM - Last Updated 07/17/19 22:30 PM
From cloud service to enterprise apps (SaaS or Public Cloud)
In the new GlobalProtect Cloud Service (GPCS) plugin 1.1.0, customers can now fetch the public egress IP addresses assigned to their ‘Global Protect Cloud Portals and Gateways‘ and ‘Remote Networks’ instances using an API key that can be generated on the Panorama.
They don’t have to rely on the Technical Assistance Center (TAC) to give them the public IP address. They can simply run a CURL command with the ‘generated API key’ from Panorama > Cloud Services > Configuration > Service Setup > Service Operations.
Customer Use Case
To prevent users from bypassing security and directly accessing applications hosted on public cloud or SaaS apps, customers deploy IP-based restrictions. Since the cloud service dynamically spins-up and spins-down instances, as demand shifts, egress IPs change frequently. In order to use cloud services, customers would have to allow access from 'any' IP and that's a security risk they should not take.
Procedure to fetch Egress IPs from the GPCS Cloud Infrastructure: