For mobile or roaming users, the GlobalProtect client
provides the user mapping information to the firewall directly.
In this case, every GlobalProtect user has an agent or app running
on the client that requires the user to enter login credentials
for VPN access to the firewall. This login information is then added
to the User-ID user mapping table on the firewall for visibility
and user-based security policy enforcement. Because GlobalProtect
users must authenticate to gain access to the network, the IP address-to-username
mapping is explicitly known. This is the best solution in sensitive
environments where you must be certain of who a user is in order
to allow access to an application or service. For more information
on setting up GlobalProtect, refer to the GlobalProtect Administrator’s Guide.