Are Clientless VPN users assigned an IP from the Mobile User IP Pool?

Are Clientless VPN users assigned an IP from the Mobile User IP Pool?

2427
Created On 04/21/22 00:24 AM - Last Modified 03/27/25 21:13 PM


Question


Are Clientless VPN users assigned an IP from the Mobile User IP Pool?

Environment


  • Prisma Access Mobile Users
  • Global Protect Clientless VPN
  • Global Protect Portal

Answer


  1. No, Mobile Users using the Clientless VPN Portal do not get IP address assigned from the Mobile Users IP Pool.
  2. Prisma Access portal will use an internal loopback IP address. This loopback IP address is assigned from the infrastructure subnet configured during the initial Prisma Access onboarding/deployment.

Additional Information


Example of a user session where 10.1.0.0/24 is used as the infrastructure subnet.
 

> show session id 3136988
Session         3136988
        c2s flow:
                source:      34.10.x.x [Clientless_VPN] <------- Clientless user Public IP
                dst:         12.154.x.x                 <------------ MU Portal IP
                proto:       6
                sport:       15715           dport:      443
                state:       INIT            type:       FLOW
                src user:    paloaltonetworks.com\johndoe
                dst user:    unknown 
        s2c flow:
                source:      10.1.0.120 [Inside]   <----- Portal loopback
                dst:         10.1.2.214            <---------- Destination server
                proto:       6
                sport:       443             dport:      15715
                state:       INIT            type:       FLOW
                src user:    unknown  
                dst user:    paloaltonetworks.com\johndoe
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OCtCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language