User-ID Best Practices for GlobalProtect
Expand all | Collapse all
End-of-Life (EoL)
User-ID Best Practices for GlobalProtect
Learn how to prepare to deploy, configure, and monitor
GlobalProtect for use with User-ID.
Palo Alto Networks recommends GlobalProtect
as a best practice solution for User-ID. It provides connectivity
to remote users and uses internal gateways to gather mappings for
users on internal networks. Because GlobalProtect requires users
to authenticate with their credentials whenever there is a change
in network connectivity, device posture, or user authentication
state, it ensures accurate user mappings for user-based policy enforcement.
Plan User-ID Best Practices for GlobalProtect Deployment
Install the GlobalProtect client on all endpoints where you
want to identify users.
Determine the directory attributes for user names (such as UserPrincipalName,
sAMAccountName, or common-name) that you use for GlobalProtect authentication.
Specify these attributes as either the Primary or Alternative username
in the Group Mapping Profile.
If you have only one internal gateway but have other firewalls
that need to learn mappings from that gateway, plan how you will
deploy
redistribution to
send mappings to other firewalls.
Determine whether you receive mappings from multiple sources.
If so, evaluate the sources using the web interface or the CLI to
determine whether the IP Address-to-Username mappings gathered from
GlobalProtect could be overwritten by sources that provide mappings
that may be less accurate or timely than GlobalProtect.
Deploy GlobalProtect Using Best Practices for User-ID
Deploy GlobalProtect
Portals and Gateways. Deploy both internal and external gateways
to consistently identify users regardless of location.
Use the Pre-logon (Always On) or User-log on (Always On) connection
method to access the network when using both internal and external
gateways.
If you use internal gateways, use
Internal Host Detection so
the GlobalProtect Client knows when to send a user to an internal
gateway.
Enable User Identification only in the source zones. For example,
if you use a GlobalProtect External Gateway, enable User-ID in the
zone associated with the tunnel interface ().
If you receive user mappings from multiple sources,
exclude the GlobalProtect
subnets for external GlobalProtect gateways on the User-ID agents
so that the user mappings that GlobalProtect provides are not overwritten
by sources that provide mappings that are less accurate or timely
than GlobalProtect.
Configure User-ID Redistribution to share the mappings that
the GlobalProtect gateways gather with other firewalls.
Specify all username formats that allow users to authenticate
to GlobalProtect as the Primary Username or as Alternate Username
Attributes in the Group Mapping profile. Enable
Allow
matching usernames without domains
() if users don’t provide
the domain name for GlobalProtect authentication.
Create your security policy rules and
test that they match the
expected user traffic flows.
Use GlobalProtect Post-Deployment Best Practices for User-ID
Maintain and
update the GlobalProtect
clients on the endpoints. If you have many endpoints to update,
host app updates on a web server to
reduce the load on the firewall when users connect to and download
the app or use a software distribution tool to push the updates
to the managed hosts.
On the GlobalProtect client, confirm that the users can successfully
connect to an External Gateway.
Verify that the firewall receives the IP address-to-username
mappings from GlobalProtect.
On
the web interface, select and confirm the usernames
display in the
User
column.
Use
CLI commands to confirm
that the firewall correctly receives the mappings.
