cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Allowlisting your Prisma Access Tenant

L1 Bithead

Hi all,

 

I've found that this is a frequent question that comes up for new and existing Prisma Access customers. Long story short there are a couple of ways to go about this.

 

The most advanced and scalable option would be to use a solution like Cortex XSOAR  to automate things. For example, if you were to deploy a new Mobile User location, Cortex XSOAR can help you allowlist new egress IPs from your tenant, as is discussed here . There are many other use cases, such as automatically updating your SAML provider to expect authentication requests from this new gateway, and more. I cannot recommend enough going down this path if you can.

 

However, for customers just getting started or who don't have the budget for such tools, you can take some other approaches leveraging the API and automation options of Prisma Access.

 

Full Documentation for understanding the Prisma Access API is available here: https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-ov...

 

However in short form, you may choose to either allowlist the hostnames of the gateways we orchestrate and deploy for you through your tenant, or you may allowlist the IP addresses. 

 

The hostnames are immutable unless you choose to turn on/off a node location, whereas the IPs can change and grow to accommodate failover events for maintenance or scale out activities.

 

To get the hostnames to whitelist, you may use the UI:

 

For Panorama managed please go to

 

Panorama > Cloud Services plugin > Status > Network Details > Mobile Users - GlobalProtect

 

Here you will find the portal address as well as the gateway addresses of your tenant

 

For Cloud managed, please open the Prisma Access App and go to 

 

Manage > Mobile Users > GlobalProtect Setup > Infrastructure, and click the gear icon in the ‘Infrastructure Settings’ Box

 

You portal hostname should be readily available near the top of the page, and the list of gateway FQDNs should be near the bottom if you scroll down

 

If you need to allowlist IPs specifically, please feel free to leverage and customize this script to query the API. This was field created just to save time and is not a TAC supported tool so if API changes have been made since its last update let your SE know, but TAC will not be able to help you and there is no SLA to update it:

 

https://github.com/chairforce2/Prisma-PAN-OS-API-Queries/blob/main/prisma-access-get-IPs.sh

 

You will need your API key to do so. You can follow step 1 here to do this for a Panorama managed Prisma Access tenant, and follow step 1 here instead for Cloud Managed Prisma Access.

Who rated this post