User-ID Best Practices for GlobalProtect

Learn how to prepare to deploy, configure, and monitor GlobalProtect for use with User-ID.
Palo Alto Networks recommends GlobalProtect as a best practice solution for User-ID. It provides connectivity to remote users and uses internal gateways to gather mappings for users on internal networks. Because GlobalProtect requires users to authenticate with their credentials whenever there is a change in network connectivity, device posture, or user authentication state, it ensures accurate user mappings for user-based policy enforcement.

Plan User-ID Best Practices for GlobalProtect Deployment

  • Follow the GlobalProtect Quick Configs guide to determine how GlobalProtect will be deployed. For User-ID, use the Always On VPN Configuration and Mixed Internal and External Gateway Configuration.
  • Install the GlobalProtect client on all endpoints where you want to identify users.
  • Determine the directory attributes for user names (such as UserPrincipalName, sAMAccountName, or common-name) that you use for GlobalProtect authentication. Specify these attributes as either the Primary or Alternative username in the Group Mapping Profile.
  • If you use client certificate authentication, the certificate Subject Name field must identify the username. User-ID does not support machine certificates.
  • If you have only one internal gateway but have other firewalls that need to learn mappings from that gateway, plan how you will deploy redistribution to send mappings to other firewalls.
  • Determine whether you receive mappings from multiple sources. If so, evaluate the sources using the web interface or the CLI to determine whether the IP Address-to-Username mappings gathered from GlobalProtect could be overwritten by sources that provide mappings that may be less accurate or timely than GlobalProtect.

Deploy GlobalProtect Using Best Practices for User-ID

  • Deploy GlobalProtect Portals and Gateways. Deploy both internal and external gateways to consistently identify users regardless of location.
  • Use the Pre-logon (Always On) or User-log on (Always On) connection method to access the network when using both internal and external gateways.
  • If you use certificates for authentication, deploy User-Specific Client Certificates for Authentication using SCEP.
  • If you use internal gateways, use Internal Host Detection so the GlobalProtect Client knows when to send a user to an internal gateway.
  • Enable User Identification only in the source zones. For example, if you use a GlobalProtect External Gateway, enable User-ID in the zone associated with the tunnel interface (
    Network
    Zones
    tunnel-zone
    ).
  • If you receive user mappings from multiple sources, exclude the GlobalProtect subnets for external GlobalProtect gateways on the User-ID agents so that the user mappings that GlobalProtect provides are not overwritten by sources that provide mappings that are less accurate or timely than GlobalProtect.
  • Configure User-ID Redistribution to share the mappings that the GlobalProtect gateways gather with other firewalls.
  • Specify all username formats that allow users to authenticate to GlobalProtect as the Primary Username or as Alternate Username Attributes in the Group Mapping profile. Enable
    Allow matching usernames without domains
    (
    Device
    User Identification
    User Mapping
    Palo Alto Networks User-ID Agent Setup
    ) if users don’t provide the domain name for GlobalProtect authentication.
  • Create your security policy rules and test that they match the expected user traffic flows.

Use GlobalProtect Post-Deployment Best Practices for User-ID

  • Maintain and update the GlobalProtect clients on the endpoints. If you have many endpoints to update, host app updates on a web server to reduce the load on the firewall when users connect to and download the app or use a software distribution tool to push the updates to the managed hosts.
  • On the GlobalProtect client, confirm that the users can successfully connect to an External Gateway.
  • Verify that the firewall receives the IP address-to-username mappings from GlobalProtect.
    • On the web interface, select
      Monitor
      User-ID
      and confirm the usernames display in the
      User
      column.
    • Use CLI commands to confirm that the firewall correctly receives the mappings.

Recommended For You