Allowlisting your Prisma Access Tenant

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
KPawlak
L1 Bithead

Allowlisting your Prisma Access Tenant

Hi all,

 

I've found that this is a frequent question that comes up for new and existing Prisma Access customers. Long story short there are a couple of ways to go about this.

 

The most advanced and scalable option would be to use a solution like Cortex XSOAR  to automate things. For example, if you were to deploy a new Mobile User location, Cortex XSOAR can help you allowlist new egress IPs from your tenant, as is discussed here . There are many other use cases, such as automatically updating your SAML provider to expect authentication requests from this new gateway, and more. I cannot recommend enough going down this path if you can.

 

However, for customers just getting started or who don't have the budget for such tools, you can take some other approaches leveraging the API and automation options of Prisma Access.

 

Full Documentation for understanding the Prisma Access API is available here: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-ov...

 

However in short form, you may choose to either allowlist the hostnames of the gateways we orchestrate and deploy for you through your tenant, or you may allowlist the IP addresses. 

 

The hostnames are immutable unless you choose to turn on/off a node location, whereas the IPs can change and grow to accommodate failover events for maintenance or scale out activities.

 

To get the hostnames to whitelist, you may use the UI:

 

For Panorama managed please go to

 

Panorama > Cloud Services plugin > Status > Network Details > Mobile Users - GlobalProtect

 

Here you will find the portal address as well as the gateway addresses of your tenant

 

For Cloud managed, please open the Prisma Access App and go to 

 

Manage > Mobile Users > GlobalProtect Setup > Infrastructure, and click the gear icon in the ‘Infrastructure Settings’ Box

 

You portal hostname should be readily available near the top of the page, and the list of gateway FQDNs should be near the bottom if you scroll down

 

If you need to allowlist IPs specifically, please feel free to leverage and customize this script to query the API. This was field created just to save time and is not a TAC supported tool so if API changes have been made since its last update let your SE know, but TAC will not be able to help you and there is no SLA to update it:

 

https://github.com/chairforce2/Prisma-PAN-OS-API-Queries/blob/main/prisma-access-get-IPs.sh

 

You will need your API key to do so. You can follow step 1 here to do this for a Panorama managed Prisma Access tenant, and follow step 1 here instead for Cloud Managed Prisma Access.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!