Scaling Mobile User Gateways (MUG)

What a Mobile User Gateway Does

In Prisma Access, remote users connect through GlobalProtect to a mobile user gateway — a cloud security stack in the region nearest the user. The gateway terminates the tunnel, applies the full security policy (threat prevention, URL filtering, decryption, DLP), and forwards traffic to the internet, SaaS, or private apps. Scaling mobile users well is mostly about three things: capacity, addressing, and placement.

Capacity and Autoscale Behavior

Prisma Access autoscales mobile user capacity per location based on demand, but autoscale is not instant. It reacts to sustained load, so a sharp spike — a whole region coming online at 9:00 a.m., or a sudden shift to full remote work — can briefly outrun it.

Plan for the peak concurrent user count per region, not the named-user total. Pre-warm capacity ahead of known events (a return-to-office reversal, a large onboarding) rather than relying on reactive scaling during the spike itself.

IP Pool Planning

Every connected user consumes an address from the mobile user IP pool. This is the single most common scaling mistake: pools sized for today's headcount that exhaust during growth or a failover event, leaving users connected but unable to route.

• Size pools for peak concurrency plus headroom for failover, when users from one location may be served from another.
• Keep the mobile user pools non-overlapping with branch subnets, data center ranges, and service-connection routes. Overlap causes silent, hard-to-debug routing failures.
• Make sure the pools are advertised consistently toward private apps so return traffic knows the way back.

Gateway Placement and Performance

Users should land on a gateway close to them. Misplacement shows up as latency and decryption overhead stacked on top of an already long path.

• Enable the locations that match where your users actually are, not just where headquarters is.
• For global organizations, accept that a user traveling will be served by a different region — design IP pools and private-app routing so that still works.
• Watch digital experience metrics. A rise in latency to a specific app is often a placement or path problem, not a capacity one.

Authentication and Onboarding at Scale

At scale, authentication is where login storms hurt most.

1. Use SAML/IdP-based authentication so the gateway is not the bottleneck for credential checks.
2. Cache and reuse authentication where policy allows, to avoid re-authenticating thousands of users simultaneously after a brief network blip.
3. Stage GlobalProtect agent rollouts in waves. A fleet-wide forced upgrade that reconnects every user at once is a self-inflicted spike.

Monitoring and Troubleshooting

• Track concurrent users per location against pool size and watch the trend, not just the instantaneous number.
• Alert on IP pool utilization well before exhaustion (for example, at 80 percent).
• When users report "connected but nothing works," suspect IP pool exhaustion or a routing overlap before suspecting the security policy.
• Use experience monitoring to separate "slow tunnel" from "slow application."

Summary

Scaling Prisma Access mobile users is a capacity-planning exercise more than a configuration one. Size IP pools for peak concurrency plus failover headroom, keep them clear of every other range, place gateways where users actually are, and lean on an IdP so authentication never becomes the ceiling. Get those right and autoscale handles the rest.