For mobile or roaming users, the GlobalProtect endpoint
provides the user mapping information to the firewall directly.
In this case, every GlobalProtect user has an app running
on the endpoint that requires the user to enter login credentials
for VPN access to the firewall. This login information is then added
to the User-ID user mapping table on the firewall for visibility and
user-based security policy enforcement. Because GlobalProtect users
must authenticate to gain access to the network, the IP address-to-username
mapping is explicitly known. This is the best solution in sensitive
environments where you must be certain of who a user is in order
to allow access to an application or service. For more information
on setting up GlobalProtect, refer to the GlobalProtect Administrator’s Guide.