What is the behaviour of IP pools allocation in Prisma Access when a region IP pool is added into the configuration without altering the existing worldwide pool?

What is the behaviour of IP pools allocation in Prisma Access when a region IP pool is added into the configuration without altering the existing worldwide pool?

9453
Created On 07/24/23 01:51 AM - Last Modified 12/01/23 02:11 AM


Question


  • There is an existing Prisma Access deployment with Mobile user locations enabled in all 3 regions (APAC, EMEA and NAM)
  • The current IP pool configuration is done at worldwide level. 
  • The administrator is going to add a regional IP pool for APAC region without modifying the existing worldwide IP pool configuration.
  • The question is about the behavior of Prisma Access in this case and how and when the mobile users in APAC region will get IP addresses from new APAC region IP pool.

Environment


  • Prisma Access for Users version 4.0 or lower.
  • IP pool configuration
  • Mobile Users

Answer


  1. There will be no immediate change in the IP pool allocation or the Global protect users' IP addresses. 
  2. The existing APAC gateways will continue to use the previously allocated worldwide IP pools until one of the following conditions are met.
    • The existing IP pool allocated to the APAC gateways is exhausted and the  gateways need a new IP pool. In this case, the new users will receive IP address from new regional APAC IP pool.
    • The APAC gateways are subject to a dataplane upgrade. Post upgrade, all the IP pools in APAC gateways will use APAC region IP pools subject the pool availability.
  3. New locations/gateways deployment in APAC region will also use the new regional IP pool subject to pool availability.

 

Additional Information


  • The administrator can still control some aspects to the pool allocation.
  • They can disable/remove the APAC locations and then enable them again which will cause the new onboarding to receive new regional IP pools.
  • Note: This operations should be done in a maintenance window and can cause change of public IP address for those locations as well within the existing allocated public/egress IP pool. 
  • The administrator can also modify the existing worldwide IP pool by reducing it or removing it. If an IP pool/subnet used by a gateway is removed from the IP pool configuration, the gateway will then automatically get another available IP pool from region IP block first.
  • Reach out to Palo Alto Support if further questions or if there is a need to re-allocate the IP pools without one of the above options. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000bqY5CAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language