08-12-2022 01:45 AM
We have an existing deployed Prisma Access solution with MUs using a worldwide pool as deployed during the POC, although all MUs are located in Europe.
We wish to change the MU pool without impacting existing users, although limited to europe users require 24 hour access due to shift patterns.
After reading https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-fo... more specifically the section which says:
"If you specify a mix of Worldwide and regional pools, Prisma Access uses the IP pools in the region first. If regional pools are exhausted, Prisma Access will take IP address blocks from the Worldwide pool, which allows you to configure extra IP addresses in the Worldwide IP address pool to function as a fallback pool."
I assumed this meant I could simply add a europe pool (using the new MU subnet) and this would mean all new connections would be assigned from the new pool and existing connections would continue to be assigned from the old pool. However upon making the change it made no difference, new and existing connections where still allocated IPs from the old worldwide MU pool. Furthermore a check of the routes from the troubleshooting tool, there where no routes in prisma access for the new pool (although I am not sure when these routes are usually added, it maybe they are only created after the first address is allocated from the pool)
I should point out that the worldwide pool was first in the list and the europe one is second which makes me wonder if I am encountering the below taken from the same article.
"If you specify more than one block of IP address pools, Prisma Access uses the pools in the order that you entered them during mobile user setup."
To me the two statements are mutually exclusive given that you cannot have more than one pool in the same region so it is strange they occur one after the other in the same article. I could try moving the order of the pools but I have concerns around impacting the existing users so I guess I am asking has anyone done this before and what process did you follow?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!