Strata Copilot
    User-ID Best Practices
    : User-ID Best Practices for GlobalProtect
    Focus
    Download PDF
    Focus
    1. Home
    2. Best Practices
    3. User-ID Best Practices
    4. User-ID Best Practices
    5. User-ID Best Practices for GlobalProtect
    Download PDF

    User-ID Best Practices

    User-ID Best Practices for GlobalProtect

    Table of Contents

    User-ID Best Practices for GlobalProtect

    Learn how to prepare to deploy, configure, and monitor GlobalProtect for use with User-ID.
    Palo Alto Networks recommends GlobalProtect as a best practice solution for User-ID. It provides connectivity to remote users and uses internal gateways to gather mappings for users on internal networks. Because GlobalProtect requires users to authenticate with their credentials whenever there is a change in network connectivity, device posture, or user authentication state, it ensures accurate user mappings for user-based policy enforcement.

    Plan User-ID Best Practices for GlobalProtect Deployment

    • Follow the GlobalProtect Quick Configs guide to determine how to best deploy GlobalProtect. For User-ID, use the Always On VPN Configuration and Mixed Internal and External Gateway Configuration.
    • Install the GlobalProtect app on all endpoints where you want to identify users.
    • Determine the directory attributes for user names (such as UserPrincipalName, sAMAccountName, or common-name) that you use for GlobalProtect authentication. Specify these attributes as either the Primary or an Alternative username in the Group Mapping Profile.
    • If you use client certificate authentication, the certificate Subject Name field must identify the username. User-ID does not support machine certificates.
    • If you have only one internal gateway but have other firewalls that need to learn mappings from that gateway, plan how you will deploy redistribution to send mappings to other firewalls.
    • Determine whether you receive mappings from multiple sources. If so, evaluate the sources using the web interface or the CLI to determine whether the IP Address-to-Username mappings gathered from GlobalProtect could be overwritten by sources that provide mappings that may be less accurate or timely than GlobalProtect.

    Deploy GlobalProtect Using Best Practices for User-ID

    • Deploy GlobalProtect portals and gateways. Deploy both internal and external gateways to consistently identify users regardless of location.
    • If you use internal gateways, use Internal Host Detection to allow the GlobalProtect app to determine if it is inside an enterprise network.
    • If you use both internal and external gateways, verify that the connection method is Pre-logon (Always On) or User-log on (Always On) to enable access to the network and to ensure that User-ID can receive the user mappings.
    • If you use certificates for authentication, deploy User-Specific Client Certificates for Authentication using Simple Certificate Enrollment Protocol (SCEP).
    • Enable User Identification only in the source zones. For example, if you use a GlobalProtect External Gateway, enable User-ID in the zone associated with the tunnel interface (NetworkZonestunnel-zone).
    • If you receive user mappings from multiple sources, exclude the GlobalProtect subnets for external GlobalProtect gateways on the User-ID agents so that the user mappings that GlobalProtect provides are not overwritten by sources that provide mappings that are less accurate or timely than GlobalProtect.
    • Configure redistribution to share the mappings that the GlobalProtect gateways gather with other firewalls.
    • Specify all username formats that allow users to authenticate to GlobalProtect as the Primary Username or as Alternate Username Attributes in the Group Mapping profile. Enable Allow matching usernames without domains (DeviceUser IdentificationUser MappingPalo Alto Networks User-ID Agent Setup) if users don’t provide the domain name during GlobalProtect authentication.
    • Create your security policy rules and test that they match the expected user traffic flows.

    Use GlobalProtect Post-Deployment Best Practices for User-ID

    • Maintain and update the GlobalProtect apps on the endpoints. If you have many endpoints to update, host app updates on a web server to reduce the load on the firewall when users connect to and download the app or use a software distribution tool to push the updates to the managed hosts.
    • On the GlobalProtect app, confirm that the users can successfully connect to an External Gateway.
    • Verify that the firewall receives the IP address-to-username mappings from GlobalProtect.
      • On the web interface, select MonitorUser-ID and confirm the usernames display in the User column.
      • Use CLI commands to confirm that the firewall correctly receives the mappings.

    © 2025 Palo Alto Networks, Inc. All rights reserved.