In an environment where IP Optimization is enabled, what are the conditions under which the Egress IP increases or decreases?

sawjain — Wed, 12 Mar 2025 09:37:20 GMT

Hello Team,

IP Optimization for Mobile Users—GlobalProtect Deployments
https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-setup/retrieve-ip-addre...

IP Optimization for Mobile Users
https://svc-desc.paloaltonetworks.com/mobile-users/gp/ip-optimization-mu

I have a question about the conditions under which the number of egress IPs increases in an environment where IP Optimization is enabled as described in the above document.

1)
https://svc-desc.paloaltonetworks.com/mobile-users/gp/ip-optimization-mu
This document states the following:

-------
When IP Optimization for Mobile Users is enabled on a tenant and that tenant deploys more than one MU-SPN in a compute region, Prisma Access deploys an ingress NLB layer for the MU-SPNs and deploys a pair of NAT instances to form a NAT layer for internet-bound traffic.
-------

Therefore, even in an environment where IP Optimization is enabled, if a single MU-SPN is used, NLB/NAT is not configured, but if multiple MU-SPNs are used, it automatically transitions to an NLB/NAT configuration. Is this correct?

2)
Assuming that 1) above is correct, am I correct in understanding that immediately after migrating to an NLB/NAT configuration, there will be two Egress IPs in the NAT layer?

3)
Please tell me the conditions under which the Egress IPs increase.
Does this apply to an increase in the number of sessions, an increase in the number of connected users, an increase in the amount of calculations in the NAT instance, etc.?

4)
Am I correct in understanding that the Egress IPs increase one at a time?
For example, if there are two Egress IPs, will the next increase be two, resulting in four Egress IPs?

5)
Please tell me whether the Egress IPs increase or decrease dynamically.
Can an Egress IP that has been increased once never decrease?

Re: In an environment where IP Optimization is enabled, what are the conditions under which the Egress IP increases or decreases?

uthankappanpi — Thu, 03 Apr 2025 19:14:38 GMT

Hi @sawjain

@sawjain wrote:

Hello Team,

IP Optimization for Mobile Users—GlobalProtect Deployments
https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-setup/retrieve-ip-addre...

IP Optimization for Mobile Users
https://svc-desc.paloaltonetworks.com/mobile-users/gp/ip-optimization-mu

I have a question about the conditions under which the number of egress IPs increases in an environment where IP Optimization is enabled as described in the above document.

1)
https://svc-desc.paloaltonetworks.com/mobile-users/gp/ip-optimization-mu
This document states the following:

-------
When IP Optimization for Mobile Users is enabled on a tenant and that tenant deploys more than one MU-SPN in a compute region, Prisma Access deploys an ingress NLB layer for the MU-SPNs and deploys a pair of NAT instances to form a NAT layer for internet-bound traffic.
-------

Therefore, even in an environment where IP Optimization is enabled, if a single MU-SPN is used, NLB/NAT is not configured, but if multiple MU-SPNs are used, it automatically transitions to an NLB/NAT configuration. Is this correct?

2)
Assuming that 1) above is correct, am I correct in understanding that immediately after migrating to an NLB/NAT configuration, there will be two Egress IPs in the NAT layer?

3)
Please tell me the conditions under which the Egress IPs increase.
Does this apply to an increase in the number of sessions, an increase in the number of connected users, an increase in the amount of calculations in the NAT instance, etc.?

4)
Am I correct in understanding that the Egress IPs increase one at a time?
For example, if there are two Egress IPs, will the next increase be two, resulting in four Egress IPs?

5)
Please tell me whether the Egress IPs increase or decrease dynamically.
Can an Egress IP that has been increased once never decrease?

1) That's right, NLB and NAT layers are deployed for auto-scaled gateway situations/minimum two or more gateways should be available for a region

2) That is correct, There will be a pair of NAT instances deployed . That means there will be two egress IPs minimum.

3) NAT Instances supports numerous concurrent connections with scale capabilities, Number of NAT instance may vary depending on the number of MU gateways so on.

4 & 5) When you enable Optimization It enables a pair of NAT instance first then It shouldn't go from 2 to 4, not like that. It depends on the tenant capacity requirement. I would suggest, to know more granular information related to this you may change please reach out to your respective Customer Success team to help with with identifying the capacity if needed

topic In an environment where IP Optimization is enabled, what are the conditions under which the Egress IP increases or decreases? in Prisma Access Discussions

In an environment where IP Optimization is enabled, what are the conditions under which the Egress IP increases or decreases?

Re: In an environment where IP Optimization is enabled, what are the conditions under which the Egress IP increases or decreases?