Mobile user (MU) Gateway assigning IP addresses from Worldwide pool instead of regional pool after dataplane upgrade.

Mobile User (MU) Gateway assigning IP addresses from Worldwide pool instead of regional pool after dataplane upgrade.

• Prisma Access
• Supported PAN-OS
• Prisma Access - Mobile Users

This will usually happen when the dataplane version of the MU firewalls are being upgraded.

Upgrade Process:

• We assign the IP pools to the gateways in /24 blocks.
• When performing an upgrade , we spin up an instance in parallel containing the target dataplane version.
• After the upgrade , we delete the old dataplane firewall instance ( which releases a /24 IP pool range ).

Example: Take an example where we are upgrading gateways in the EMEA region :

Before upgrade:

• EMEA IP pool  : x.x.x.x/23    (/23 translates to two /24.) 
• So its assigned to UK and Netherlands for example:
  • x.x.x.x/24 - assigned to UK on current dataplane version. 
  • x.x.x.x/24 - assigned to Netherlands on current dataplane version.
• So now there is not an available IP from the regional pool to pick from.

During upgrade:

• During an upgrade to the Netherlands/UK gateway, new gateway instances will be spun up in parallel on the target new dataplane version.
• Since x.x.x.x/24 is assigned to UK and Netherlands on the dataplane versions, no free regional IP pools are available.
• Since no regional IP pools are available and have already been assigned, the gateway assigns IPs from the Worldwide pool to upgrade these gateways.

1. Configure regional pool with /22 subnet.
   1. We recommend that the number of IP addresses in the pool is 2 times the number of mobile user devices that will connect to Prisma Access.
2.  The following can be used as workaround to assign regional pool IPs to the gateway.
   1. Remove the entry for Worldwide pool.
   2. Do a commit/push.
   3. Add the Worldwide pool entry.
   4. Do commit/push again.

IP Address Pools in a Mobile User—GlobalProtect Deployment