Mobile users access private apps using a service connection. If your deployment uses a Next-Generation Firewall (NGFW) in the data center or headquarters location where the private apps are located, and if your service connection has source NAT enabled, the NGFW can't retrieve the User-ID and Device-ID mapping. Source NAT on the service connection prevents the mobile users' User-ID and Device-ID mapping to be distributed to the NGFW. If the NGFW can't retrieve this mapping, it can't enforce zone-based security policy rules you have created on it based on User-ID or Device-ID mapping.

User-ID Across NAT lets your network distribute the User- or Device-ID mapping from mobile users to the NGFW and then on to the headquarters or data center, thus allowing the NGFW to enforce security policy rules based on the User-ID mapping it has learned from the service connection. This configuration ensures a consistent security posture across your mobile user deployment.