You can maintain consistent User-ID mappings for users both when they are working remotely or connected to the corporate network. To use this feature, set Enable Unified User-ID in Internal Networks to Yes on the GlobalProtect app. For more information, see Customize the GlobalProtect App.

Your environment must meet the following pre-requisites for this feature to work:

• GobalProtect is configured in always-on mode with connect method is user-logon or pre-logon.
• Split tunneling is configured with include/exclude access routes for internal gateways so that authentication and HIP reports to internal gateways do not route through the tunnel. To do this, create a tunnel policy so that internal subnet traffic is split-excluded from the tunnel when the user is on the corporate network.
• Internal Host Detection is configured and resolves to internal network.

When users are working remotely, the GlobalProtect agent launches automatically when they power on their Windows or macOS device. The agent authenticates the user and establishes a full VPN tunnel to the configured external gateway (Prisma Access). A User-ID mapping is created on Prisma Access, linking the user to their assigned virtual IP address. All network traffic from the device is routed through the tunnel. Prisma Access inspects all traffic and applies the relevant user-based security policies.

When users are in the office on the internal network, the GlobalProtect agent performs dual authentication:

• External Authentication: It authenticates with the external gateway (Prisma Access) and establishes the primary VPN tunnel, which creates a User-ID mapping on Prisma Access.
• Internal Authentication: It also authenticates directly with the configured on-premise gateways to create a User-ID mapping on the on-prem firewalls. No tunnel is established with the internal gateways.
  Split-tunneled traffic to internal resources uses the physical IP mapping while tunneled traffic to external resources uses the virtual IP mapping. The agent collects Host Information Profile (HIP) data from all endpoints.

The agent submits the HIP report to Prisma Access. Prisma Access enforces HIP-based policies on all tunneled traffic. When the user is on the internal network, the agent submits the HIP report to both the external gateway (Prisma Access) and the internal gateways during the respective authentication. Prisma Access uses the report to enforce policy on any traffic that is tunneled. The on-premise gateways use the report to enforce policy on the split-tunneled traffic for local resources. The organization can, thus, enforce consistent endpoint device compliance (e.g., checking for active AV, disk encryption) for all traffic, regardless of user location or traffic destination.