Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this topic

Mobile User IP Pool functionality

L2 Linker

We have an existing deployed Prisma Access solution with MUs using a worldwide pool as deployed during the POC, although all MUs are located in Europe.

 

We wish to change the MU pool without impacting existing users, although limited to europe users require 24 hour access due to shift patterns.

 

After reading https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-fo... more specifically the section which says:

 

"If you specify a mix of Worldwide and regional pools, Prisma Access uses the IP pools in the region first. If regional pools are exhausted, Prisma Access will take IP address blocks from the Worldwide pool, which allows you to configure extra IP addresses in the Worldwide IP address pool to function as a fallback pool."

 

I assumed this meant I could simply add a europe pool (using the new MU subnet) and this would mean all new connections would be assigned from the new pool and existing connections would continue to be assigned from the old pool.  However upon making the change it made no difference, new and existing connections where still allocated IPs from the old worldwide MU pool.  Furthermore a check of the routes from the troubleshooting tool, there where no routes in prisma access for the new pool (although I am not sure when these routes are usually added, it maybe they are only created after the first address is allocated from the pool)

 

I should point out that the worldwide pool was first in the list and the europe one is second which makes me wonder if I am encountering the below taken from the same article.

 

"If you specify more than one block of IP address pools, Prisma Access uses the pools in the order that you entered them during mobile user setup."

 

To me the two statements are mutually exclusive given that you cannot have more than one pool in the same region so it is strange they occur one after the other in the same article.  I could try moving the order of the pools but I have concerns around impacting the existing users so I guess I am asking has anyone done this before and what process did you follow?

Who Me Too'd this topic