- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-12-2025 02:37 AM
Hello Team,
IP Optimization for Mobile Users—GlobalProtect Deployments
https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-setup/retrieve-ip-addre...
IP Optimization for Mobile Users
https://svc-desc.paloaltonetworks.com/mobile-users/gp/ip-optimization-mu
I have a question about the conditions under which the number of egress IPs increases in an environment where IP Optimization is enabled as described in the above document.
1)
https://svc-desc.paloaltonetworks.com/mobile-users/gp/ip-optimization-mu
This document states the following:
-------
When IP Optimization for Mobile Users is enabled on a tenant and that tenant deploys more than one MU-SPN in a compute region, Prisma Access deploys an ingress NLB layer for the MU-SPNs and deploys a pair of NAT instances to form a NAT layer for internet-bound traffic.
-------
Therefore, even in an environment where IP Optimization is enabled, if a single MU-SPN is used, NLB/NAT is not configured, but if multiple MU-SPNs are used, it automatically transitions to an NLB/NAT configuration. Is this correct?
2)
Assuming that 1) above is correct, am I correct in understanding that immediately after migrating to an NLB/NAT configuration, there will be two Egress IPs in the NAT layer?
3)
Please tell me the conditions under which the Egress IPs increase.
Does this apply to an increase in the number of sessions, an increase in the number of connected users, an increase in the amount of calculations in the NAT instance, etc.?
4)
Am I correct in understanding that the Egress IPs increase one at a time?
For example, if there are two Egress IPs, will the next increase be two, resulting in four Egress IPs?
5)
Please tell me whether the Egress IPs increase or decrease dynamically.
Can an Egress IP that has been increased once never decrease?
04-03-2025 12:13 PM - edited 04-03-2025 12:14 PM
Hi @sawjain
@sawjain wrote:
Hello Team,
IP Optimization for Mobile Users—GlobalProtect Deployments
https://docs.paloaltonetworks.com/prisma-access/administration/prisma-access-setup/retrieve-ip-addre...
IP Optimization for Mobile Users
https://svc-desc.paloaltonetworks.com/mobile-users/gp/ip-optimization-mu
I have a question about the conditions under which the number of egress IPs increases in an environment where IP Optimization is enabled as described in the above document.
1)
https://svc-desc.paloaltonetworks.com/mobile-users/gp/ip-optimization-mu
This document states the following:-------
When IP Optimization for Mobile Users is enabled on a tenant and that tenant deploys more than one MU-SPN in a compute region, Prisma Access deploys an ingress NLB layer for the MU-SPNs and deploys a pair of NAT instances to form a NAT layer for internet-bound traffic.
-------Therefore, even in an environment where IP Optimization is enabled, if a single MU-SPN is used, NLB/NAT is not configured, but if multiple MU-SPNs are used, it automatically transitions to an NLB/NAT configuration. Is this correct?
2)
Assuming that 1) above is correct, am I correct in understanding that immediately after migrating to an NLB/NAT configuration, there will be two Egress IPs in the NAT layer?
3)
Please tell me the conditions under which the Egress IPs increase.
Does this apply to an increase in the number of sessions, an increase in the number of connected users, an increase in the amount of calculations in the NAT instance, etc.?
4)
Am I correct in understanding that the Egress IPs increase one at a time?
For example, if there are two Egress IPs, will the next increase be two, resulting in four Egress IPs?
5)
Please tell me whether the Egress IPs increase or decrease dynamically.
Can an Egress IP that has been increased once never decrease?
1) That's right, NLB and NAT layers are deployed for auto-scaled gateway situations/minimum two or more gateways should be available for a region
2) That is correct, There will be a pair of NAT instances deployed . That means there will be two egress IPs minimum.
3) NAT Instances supports numerous concurrent connections with scale capabilities, Number of NAT instance may vary depending on the number of MU gateways so on.
4 & 5) When you enable Optimization It enables a pair of NAT instance first then It shouldn't go from 2 to 4, not like that. It depends on the tenant capacity requirement. I would suggest, to know more granular information related to this you may change please reach out to your respective Customer Success team to help with with identifying the capacity if needed
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!