User-ID Best Practices for GlobalProtect
Expand all | Collapse all
User-ID Best Practices for GlobalProtect
Learn how to prepare to deploy, configure, and monitor
GlobalProtect for use with User-ID.
Palo Alto Networks recommends GlobalProtect
as a best practice solution for User-ID. It provides connectivity
to remote users and uses internal gateways to gather mappings for
users on internal networks. Because GlobalProtect requires users
to authenticate with their credentials whenever there is a change
in network connectivity, device posture, or user authentication
state, it ensures accurate user mappings for user-based policy enforcement.
Plan User-ID Best Practices for GlobalProtect Deployment
Install the GlobalProtect app on all endpoints where you want
to identify users.
Determine the directory attributes for user names (such as UserPrincipalName,
sAMAccountName, or common-name) that you use for GlobalProtect authentication.
Specify these attributes as either the Primary or an Alternative
username in the Group Mapping Profile.
If you have only one internal gateway but have other firewalls
that need to learn mappings from that gateway, plan how you will
deploy
redistribution to
send mappings to other firewalls.
Determine whether you receive mappings from multiple sources.
If so, evaluate the sources using the web interface or the CLI to
determine whether the IP Address-to-Username mappings gathered from
GlobalProtect could be overwritten by sources that provide mappings
that may be less accurate or timely than GlobalProtect.
Deploy GlobalProtect Using Best Practices for User-ID
Deploy GlobalProtect
portals and gateways. Deploy both internal and external gateways
to consistently identify users regardless of location.
If you use internal gateways, use
Internal Host Detection to
allow the GlobalProtect app to determine if it is inside an enterprise
network.
If you use both internal and external gateways, verify that
the connection method is Pre-logon (Always On) or User-log on (Always
On) to enable access to the network and to ensure that User-ID can
receive the user mappings.
Enable User Identification only in the source zones. For example,
if you use a GlobalProtect External Gateway, enable User-ID in the
zone associated with the tunnel interface ().
If you receive user mappings from multiple sources,
exclude the GlobalProtect
subnets for external GlobalProtect gateways on the User-ID agents
so that the user mappings that GlobalProtect provides are not overwritten
by sources that provide mappings that are less accurate or timely
than GlobalProtect.
Configure
redistribution to
share the mappings that the GlobalProtect gateways gather with other
firewalls.
Specify all username formats that allow users to authenticate
to GlobalProtect as the Primary Username or as Alternate Username
Attributes in the Group Mapping profile. Enable
Allow
matching usernames without domains
() if users don’t provide
the domain name during GlobalProtect authentication.
Create your security policy rules and
test that they match the
expected user traffic flows.
Use GlobalProtect Post-Deployment Best Practices for User-ID
Maintain and
update the GlobalProtect
apps on the endpoints. If you have many endpoints to update,
host app updates on a web server to
reduce the load on the firewall when users connect to and download
the app or use a software distribution tool to push the updates
to the managed hosts.
On the GlobalProtect app, confirm that the users can successfully
connect to an External Gateway.
Verify that the firewall receives the IP address-to-username
mappings from GlobalProtect.
On
the web interface, select and confirm the usernames
display in the
User
column.
Use
CLI commands to confirm
that the firewall correctly receives the mappings.