How to remove the commit warning message, "does not have 'enable-user-identification' turned on for globalprotect gateway"

22763

Created On 12/14/18 22:07 PM - Last Modified 12/06/24 10:01 AM

GlobalProtect Gateway

Zones

User-ID

8.1

8.0

7.1

7.0

GlobalProtect

Objective

Screenshot of the error message:
Commit warning message

Warning: Zone '[name]' does not have 'enable-user-identification' turned on for globalprotect gateway '[name]'

Environment

NGFW
Supported PANOS versions
GlobalProtect Gateway

Procedure

Steps:

From the Web GUI, navigate to Network > Zones
Select the zone which the error is presenting the warning. In this case, it is the zone called 'GP-Zone'
Under the section User Identification ACL, check the Enable User Identification box.

Commit the firewall configuration. Successful commits should now be going through without the 'enable-user-identification' warning

Additional Information

The message is a 'Warning' and can be disregarded if Global Protect users do not need a ip-user-mapping.
By enabling the user-identification feature on the Global Protect zone, the firewall will do ip-user-mappings for logged in users via Global Protect. The mappings can then be used for source user based policy and traffic logging and reporting.

Note: Only enable User-ID on trusted zones.
(https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0)

Other users also viewed:

How to download GlobalProtect from the Customer Support Portal

Download and Install the GlobalProtect App for Windows

Resource List: GlobalProtect Configuring and Troubleshooting

PAN-OS Software Updates

Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)