When you configure a secondary enforcement device with
your Palo Alto Networks firewall to enforce user-based policy, the
secondary device may not have the IP address-to-username mapping
from the firewall. Transmitting the user’s identity to downstream
devices may require deployment of additional devices such as proxies
or negatively impact the user’s experience (for example, users having
to log in multiple times). You can dynamically add the domain and
username to the HTTP header of the user’s outgoing traffic, allowing
any secondary devices that you use with your Palo Alto Networks
firewall to receive the user’s information and enforce user-based
policy. Including the user's identity by
inserting the username
and domain in the traffic headers enables enforcement of
user-based policy without negatively impacting the user's experience or
deployment of additional infrastructure.