I've found that this is a frequent question that comes up for new and existing Prisma Access customers. Long story short there are a couple of ways to go about this.
The most advanced and scalable option would be to use a solution like Cortex XSOAR to automate things. For example, if you were to deploy a new Mobile User location, Cortex XSOAR can help you allowlist new egress IPs from your tenant, as is discussed here . There are many other use cases, such as automatically updating your SAML provider to expect authentication requests from this new gateway, and more. I cannot recommend enough going down this path if you can.
However, for customers just getting started or who don't have the budget for such tools, you can take some other approaches leveraging the API and automation options of Prisma Access.
Full Documentation for understanding the Prisma Access API is available here: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-ov...
However in short form, you may choose to either allowlist the hostnames of the gateways we orchestrate and deploy for you through your tenant, or you may allowlist the IP addresses.
The hostnames are immutable unless you choose to turn on/off a node location, whereas the IPs can change and grow to accommodate failover events for maintenance or scale out activities.
To get the hostnames to whitelist, you may use the UI:
For Panorama managed please go to
Panorama > Cloud Services plugin > Status > Network Details > Mobile Users - GlobalProtect
Here you will find the portal address as well as the gateway addresses of your tenant
For Cloud managed, please open the Prisma Access App and go to
Manage > Mobile Users > GlobalProtect Setup > Infrastructure, and click the gear icon in the ‘Infrastructure Settings’ Box
You portal hostname should be readily available near the top of the page, and the list of gateway FQDNs should be near the bottom if you scroll down
If you need to allowlist IPs specifically, please feel free to leverage and customize this script to query the API. This was field created just to save time and is not a TAC supported tool so if API changes have been made since its last update let your SE know, but TAC will not be able to help you and there is no SLA to update it:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!