How to remove the commit warning message, "does not have 'enable-user-identification' turned on for globalprotect gateway"

How to remove the commit warning message, "does not have 'enable-user-identification' turned on for globalprotect gateway"

29545
Created On 12/14/18 22:07 PM - Last Modified 02/11/26 10:11 AM


Objective


Screenshot of the error message:
Commit warning message
Warning: Zone '[name]' does not have 'enable-user-identification' turned on for globalprotect gateway '[name]'

Environment


  • NGFW
  • Supported PANOS versions
  • GlobalProtect Gateway 
  • Tunnel mode

Procedure


Steps:

  1. From the web interface, navigate to Network > Zones
  2. Select the zone where the warning is being displayed. In this example, the affected zone is “GP-Zone
  3. Under the User Identification ACL section, select the Enable User Identification checkbox

Checkbox for User-ID enable

  1. Commit the firewall configuration. The commit operation should now complete successfully, and the “enable-user-identification” warning should no longer appear.

Commit successful with no warnings

Additional Information


The message is a warning and can be safely disregarded if GlobalProtect users do not require IP-to-user mapping.
By enabling the User Identification feature on the GlobalProtect zone, the firewall will perform IP-to-user mappings for users authenticated through GlobalProtect. These mappings can then be used for source user–based security policies, as well as for traffic logging and reporting.

Note: Only enable User-ID on trusted zones.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000CmSD&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Choose Language