GlobalProtect: IP Address Assignment When Having More Than One IP Pool

GlobalProtect: IP Address Assignment When Having More Than One IP Pool

Created On 09/25/18 19:43 PM - Last Modified 04/20/20 23:38 PM



This document explains how an IP address is assigned to a GlobalProtect client when two or more IP address pools are configured.



Palo Alto Networks firewall keeps a pointer to the pool from which the last successful IP address assignment was taken. The next client will get the next available IP from the pointer's pool.


For example:

GlobalProtect pools: > pool-1  > pool-2


*pointer > pool-1

  1. The first GlobalProtect client comes in and requests an IP
  2. The Palo Alto Networks firewall checks its pointer, and reads that it has to offer it an IP from pool-1 (
  3. Client ACKs the IP and installs it in its GlobalPointer virtual adapter
  4. A new GlobalProtect client comes in (at their local LAN they have the following IP assigned on NIC -
  5. The client authenticates successfully and requests an IP
  6. The firewall checks its memory pointer, and it is pointing to pool-1. It grabs the next available IP from pool-1 and offers it to the client
  7. The GlobalProtect client reads the IP, but it overlaps with the address on its physical NIC, so it declines the IP address
  8. The firewall receives the decline and moves its memory pointer to pool-2. The firewall offers the client a new IP from pool-2
  9. A third client comes in. Its physical IP is
  10. The firewall checks its pointer which is pointing to pool-2
  11. The firewall gets the next available IP on pool-2 and offers it to the client
  12. This third client receives the IP, checks it, it does not overlap, the client installs it on its virtual adapter and ACKs the IP to the firewall


See Also

How can IP Overlaps be Prevented with GlobalProtect


owner: parmas

  • Print
  • Copy Link

Choose Language