When you configure a secondary enforcement device with your Palo Alto Networks firewall to enforce user-based policy, the secondary device may not have the IP address-to-username mapping from the firewall. Transmitting the user’s identity to downstream devices may require deployment of additional devices such as proxies or negatively impact the user’s experience (for example, users having to log in multiple times). You can dynamically add the domain and username to the HTTP header of the user’s outgoing traffic, allowing any secondary devices that you use with your Palo Alto Networks firewall to receive the user’s information and enforce user-based policy. Including the user's identity by inserting the username and domain in the traffic headers enables enforcement of user-based policy without negatively impacting the user's experience or deployment of additional infrastructure.