User-ID Best Practices for GlobalProtect

Learn how to prepare to deploy, configure, and monitor GlobalProtect for use with User-ID.
Palo Alto Networks recommends GlobalProtect as a best practice solution for User-ID. It provides connectivity to remote users and uses internal gateways to gather mappings for users on internal networks. Because GlobalProtect requires users to authenticate with their credentials whenever there is a change in network connectivity, device posture, or user authentication state, it ensures accurate user mappings for user-based policy enforcement.

Plan User-ID Best Practices for GlobalProtect Deployment

  • Follow the GlobalProtect Quick Configs guide to determine how to best deploy GlobalProtect. For User-ID, use the Always On VPN Configuration and Mixed Internal and External Gateway Configuration.
  • Install the GlobalProtect app on all endpoints where you want to identify users.
  • Determine the directory attributes for user names (such as UserPrincipalName, sAMAccountName, or common-name) that you use for GlobalProtect authentication. Specify these attributes as either the Primary or an Alternative username in the Group Mapping Profile.
  • If you use client certificate authentication, the certificate Subject Name field must identify the username. User-ID does not support machine certificates.
  • If you have only one internal gateway but have other firewalls that need to learn mappings from that gateway, plan how you will deploy redistribution to send mappings to other firewalls.
  • Determine whether you receive mappings from multiple sources. If so, evaluate the sources using the web interface or the CLI to determine whether the IP Address-to-Username mappings gathered from GlobalProtect could be overwritten by sources that provide mappings that may be less accurate or timely than GlobalProtect.

Deploy GlobalProtect Using Best Practices for User-ID

  • Deploy GlobalProtect portals and gateways. Deploy both internal and external gateways to consistently identify users regardless of location.
  • If you use internal gateways, use Internal Host Detection to allow the GlobalProtect app to determine if it is inside an enterprise network.
  • If you use both internal and external gateways, verify that the connection method is Pre-logon (Always On) or User-log on (Always On) to enable access to the network and to ensure that User-ID can receive the user mappings.
  • If you use certificates for authentication, deploy User-Specific Client Certificates for Authentication using Simple Certificate Enrollment Protocol (SCEP).
  • Enable User Identification only in the source zones. For example, if you use a GlobalProtect External Gateway, enable User-ID in the zone associated with the tunnel interface (
  • If you receive user mappings from multiple sources, exclude the GlobalProtect subnets for external GlobalProtect gateways on the User-ID agents so that the user mappings that GlobalProtect provides are not overwritten by sources that provide mappings that are less accurate or timely than GlobalProtect.
  • Configure redistribution to share the mappings that the GlobalProtect gateways gather with other firewalls.
  • Specify all username formats that allow users to authenticate to GlobalProtect as the Primary Username or as Alternate Username Attributes in the Group Mapping profile. Enable
    Allow matching usernames without domains
    User Identification
    User Mapping
    Palo Alto Networks User-ID Agent Setup
    ) if users don’t provide the domain name during GlobalProtect authentication.
  • Create your security policy rules and test that they match the expected user traffic flows.

Use GlobalProtect Post-Deployment Best Practices for User-ID

  • Maintain and update the GlobalProtect apps on the endpoints. If you have many endpoints to update, host app updates on a web server to reduce the load on the firewall when users connect to and download the app or use a software distribution tool to push the updates to the managed hosts.
  • On the GlobalProtect app, confirm that the users can successfully connect to an External Gateway.
  • Verify that the firewall receives the IP address-to-username mappings from GlobalProtect.
    • On the web interface, select
      and confirm the usernames display in the
    • Use CLI commands to confirm that the firewall correctly receives the mappings.

Recommended For You