When Do IP Addresses Change?

If you know when IP addresses change, you can plan your infrastructure and whitelist the required IP addresses accordingly.
The following IP addresses can change:

IP Addresses For The GlobalProtect Cloud Service Gateways For Mobile Users

IP addresses for mobile users can change during the following events:
  • When a large number of mobile users access the cloud gateway from the same region.
    The GlobalProtect cloud service adds one or more gateways to accommodate additional licensed mobile users.
  • During an infrastructure upgrade.
To find these IP addresses or to be notified of an IP address change, Retrieve the IP Addresses for the GlobalProtect Cloud Service using an API command or an automated script. To manually find the IP addresses using an API command, specify a $fwType of gpcs_gp_portal for the cloud portals and specify a $fwType of gpcs_gp_gw for the cloud gateways. If you do not specify a $fwType or $addrType, all addresses are retrieved.

IP Addresses For Remote Network Connections

The IP addresses for the remote network connections are static, and only change in the following cases:
  • When a system administrator creates a new remote network connection using the Panorama appliance.
    The GlobalProtect cloud services adds a Service IP Address for the new remote network connection. When you Configure the GlobalProtect Cloud Service for Remote Networks , you use these IP addresses as the peer IP address to set up the IPSec tunnel between the remote network location and the GlobalProtect cloud service for remote networks.
    If you have deleted any remote network connections, the service IP addresses are not reused. The GlobalProtect cloud service assigns an entirely new IP address for the new connection.
  • When a change to network bandwidth in a region causes the total bandwidth to exceed 300 Mbps.
    While you can onboard remote networks in increments of 2 Mbps, 5 Mbps, 10 Mbps, 25 Mbps, 50 Mbps, 100 Mbps, or 300 Mbps, the maximum bandwidth available for a single service IP address is 300 Mbps. If the total bandwidth of all remote network connections in a region is 300 Mbps or less, the GlobalProtect cloud service assigns a single service IP address. If the bandwidth exceeds 300 Mbps, the GlobalProtect cloud service provisions an additional service IP address.
    The following example shows three remote network connections in the same region, each with a bandwidth of 100 Mbps. Since the total bandwidth is 300 Mbps, the GlobalProtect cloud service assigns a single IP address for all connections in the region.
    service-ip-address-before.png
  • The following example shows the bandwidth of remote network connection A being increased from 100 Mbps to 150 Mbps. Since the total bandwidth of all connections is now more than 300 Mbps, the GlobalProtect cloud service assigns a new service IP address for the connection with the additional bandwidth. The other service IP addresses remain unchanged.
    service-ip-address-after.png
    To find the service IP addresses in Panorama, select PanoramaCloud ServicesStatusNetwork Details tab and click the Remote Networks radio button to display the Service IP Address for the remote networks. You can also Retrieve the IP Addresses for the GlobalProtect Cloud Service using an API command or an automated script. If using an API command, specify a fwType of gpcs_remote_network.

Related Documentation