User-ID Best Practices for GlobalProtect
Learn how to prepare to deploy, configure, and monitor GlobalProtect for use with User-ID.
Palo Alto Networks recommends GlobalProtect as a best practice solution for User-ID. It provides connectivity to remote users and uses internal gateways to gather mappings for users on internal networks. Because GlobalProtect requires users to authenticate with their credentials whenever there is a change in network connectivity, device posture, or user authentication state, it ensures accurate user mappings for user-based policy enforcement.
Plan User-ID Best Practices for GlobalProtect Deployment
- Install the GlobalProtect app on all endpoints where you want to identify users.
- Determine the directory attributes for user names (such as UserPrincipalName, sAMAccountName, or common-name) that you use for GlobalProtect authentication. Specify these attributes as either the Primary or an Alternative username in the Group Mapping Profile.
- If you use client certificate authentication, the certificate Subject Name field must identify the username. User-ID does not support machine certificates.
- If you have only one internal gateway but have other firewalls that need to learn mappings from that gateway, plan how you will deploy redistribution to send mappings to other firewalls.
- Determine whether you receive mappings from multiple sources. If so, evaluate the sources using the web interface or the CLI to determine whether the IP Address-to-Username mappings gathered from GlobalProtect could be overwritten by sources that provide mappings that may be less accurate or timely than GlobalProtect.
Deploy GlobalProtect Using Best Practices for User-ID
- Deploy GlobalProtect portals and gateways. Deploy both internal and external gateways to consistently identify users regardless of location.
- If you use internal gateways, use Internal Host Detection to allow the GlobalProtect app to determine if it is inside an enterprise network.
- If you use both internal and external gateways, verify that the connection method is Pre-logon (Always On) or User-log on (Always On) to enable access to the network and to ensure that User-ID can receive the user mappings.
- If you use certificates for authentication, deploy User-Specific Client Certificates for Authentication using Simple Certificate Enrollment Protocol (SCEP).
- Enable User Identification only in the source zones. For example, if you use a GlobalProtect External Gateway, enable User-ID in the zone associated with the tunnel interface ().NetworkZonestunnel-zone
- If you receive user mappings from multiple sources, exclude the GlobalProtect subnets for external GlobalProtect gateways on the User-ID agents so that the user mappings that GlobalProtect provides are not overwritten by sources that provide mappings that are less accurate or timely than GlobalProtect.
- Configure redistribution to share the mappings that the GlobalProtect gateways gather with other firewalls.
- Specify all username formats that allow users to authenticate to GlobalProtect as the Primary Username or as Alternate Username Attributes in the Group Mapping profile. EnableAllow matching usernames without domains() if users don’t provide the domain name during GlobalProtect authentication.DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent Setup
- Create your security policy rules and test that they match the expected user traffic flows.
Use GlobalProtect Post-Deployment Best Practices for User-ID
- On the GlobalProtect app, confirm that the users can successfully connect to an External Gateway.
- Verify that the firewall receives the IP address-to-username mappings from GlobalProtect.
- On the web interface, selectand confirm the usernames display in theMonitorUser-IDUsercolumn.
- Use CLI commands to confirm that the firewall correctly receives the mappings.
Recommended For You
Recommended videos not found.