In an environment where IP Optimization is enabled, what are the conditions under which the Egress IP increases or decreases?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

In an environment where IP Optimization is enabled, what are the conditions under which the Egress IP increases or decreases?

L7 Applicator

Hello Team,

 

IP Optimization for Mobile Users—GlobalProtect Deployments
https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-setup/retrieve-ip-addre...

 

IP Optimization for Mobile Users
https://svc-desc.paloaltonetworks.com/mobile-users/gp/ip-optimization-mu

 

I have a question about the conditions under which the number of egress IPs increases in an environment where IP Optimization is enabled as described in the above document.

 

1)
https://svc-desc.paloaltonetworks.com/mobile-users/gp/ip-optimization-mu
This document states the following:

-------
When IP Optimization for Mobile Users is enabled on a tenant and that tenant deploys more than one MU-SPN in a compute region, Prisma Access deploys an ingress NLB layer for the MU-SPNs and deploys a pair of NAT instances to form a NAT layer for internet-bound traffic.
-------

Therefore, even in an environment where IP Optimization is enabled, if a single MU-SPN is used, NLB/NAT is not configured, but if multiple MU-SPNs are used, it automatically transitions to an NLB/NAT configuration. Is this correct?

 

2)
Assuming that 1) above is correct, am I correct in understanding that immediately after migrating to an NLB/NAT configuration, there will be two Egress IPs in the NAT layer?

 

3)
Please tell me the conditions under which the Egress IPs increase.
Does this apply to an increase in the number of sessions, an increase in the number of connected users, an increase in the amount of calculations in the NAT instance, etc.?

 

4)
Am I correct in understanding that the Egress IPs increase one at a time?
For example, if there are two Egress IPs, will the next increase be two, resulting in four Egress IPs?

 

5)
Please tell me whether the Egress IPs increase or decrease dynamically.
Can an Egress IP that has been increased once never decrease?

1 REPLY 1

L1 Bithead

Hi @sawjain 

 


@sawjain wrote:

Hello Team,

 

IP Optimization for Mobile Users—GlobalProtect Deployments
https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-setup/retrieve-ip-addre...

 

IP Optimization for Mobile Users
https://svc-desc.paloaltonetworks.com/mobile-users/gp/ip-optimization-mu

 

I have a question about the conditions under which the number of egress IPs increases in an environment where IP Optimization is enabled as described in the above document.

 

1)
https://svc-desc.paloaltonetworks.com/mobile-users/gp/ip-optimization-mu
This document states the following:

-------
When IP Optimization for Mobile Users is enabled on a tenant and that tenant deploys more than one MU-SPN in a compute region, Prisma Access deploys an ingress NLB layer for the MU-SPNs and deploys a pair of NAT instances to form a NAT layer for internet-bound traffic.
-------

Therefore, even in an environment where IP Optimization is enabled, if a single MU-SPN is used, NLB/NAT is not configured, but if multiple MU-SPNs are used, it automatically transitions to an NLB/NAT configuration. Is this correct?

 

2)
Assuming that 1) above is correct, am I correct in understanding that immediately after migrating to an NLB/NAT configuration, there will be two Egress IPs in the NAT layer?

 

3)
Please tell me the conditions under which the Egress IPs increase.
Does this apply to an increase in the number of sessions, an increase in the number of connected users, an increase in the amount of calculations in the NAT instance, etc.?

 

4)
Am I correct in understanding that the Egress IPs increase one at a time?
For example, if there are two Egress IPs, will the next increase be two, resulting in four Egress IPs?

 

5)
Please tell me whether the Egress IPs increase or decrease dynamically.
Can an Egress IP that has been increased once never decrease?


1) That's right, NLB and NAT layers are deployed for auto-scaled gateway situations/minimum two or more gateways should be available for a region

2) That is correct, There will be a pair of NAT instances deployed . That means there will be two egress IPs minimum.

3) NAT Instances supports numerous concurrent connections with scale capabilities, Number of NAT instance may vary depending on the number of MU gateways so on.

4 & 5) When you enable Optimization It enables a pair of NAT instance first then It shouldn't go from 2 to 4, not like that. It depends on the tenant capacity requirement. I would suggest, to know more granular information related to this you may change please reach out to your respective Customer Success team to help with with identifying the capacity if needed

  • 954 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!