https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19535#M14267 <HTML><HEAD></HEAD><BODY><P>Yes, you have to enable User Identification, not only for identify your users in Inside but to enable VPN on Outside, it is mandatory.</P><P></P><P>Regards</P><P>Samuel</P></BODY></HTML> Mon, 09 Apr 2012 10:10:11 GMT ssancho 2012-04-09T10:10:11Z https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19534#M14266 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I get above machine when i try to commit. Os version is 4.1.3. Do i have to enable the user-identification on untrust interface?</P><P></P><P>Please advice</P><P></P><P>Thanks</P><P></P><P>Asanka </P></BODY></HTML> Mon, 09 Apr 2012 09:01:19 GMT https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19534#M14266 Asanka 2012-04-09T09:01:19Z https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19535#M14267 <HTML><HEAD></HEAD><BODY><P>Yes, you have to enable User Identification, not only for identify your users in Inside but to enable VPN on Outside, it is mandatory.</P><P></P><P>Regards</P><P>Samuel</P></BODY></HTML> Mon, 09 Apr 2012 10:10:11 GMT https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19535#M14267 ssancho 2012-04-09T10:10:11Z https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19536#M14268 <HTML><HEAD></HEAD><BODY><P>To clarify, the message is a 'Warning' and it can be disregarded if the GlobalProtect users do not need a user-ip-mapping.</P><P></P><P>In most all environments you will want to enable the user-identification feature on the GlobalProtect zone to receive user-ip-mappings for logged in users. These mappings can be used for source user based policy and visualization in logging and reporting.</P><P></P><P></P><P></P><P>- Stefan</P></BODY></HTML> Wed, 11 Apr 2012 05:50:48 GMT https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19536#M14268 sspringer 2012-04-11T05:50:48Z https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19537#M14269 <HTML><HEAD></HEAD><BODY><P>To further clarify - my understanding is that enable-user-identification on untrust is only required if you are using HIP profiles to control access for your GP users ? is that the only reason you would need to enable it ?</P></BODY></HTML> Thu, 12 Apr 2012 12:59:27 GMT https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19537#M14269 SimmSimm 2012-04-12T12:59:27Z https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19538#M14270 <HTML><HEAD></HEAD><BODY><P><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; FONT-SIZE: 12pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">Hi</SPAN></P><P><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; FONT-SIZE: 12pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"> </SPAN></P><P><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; FONT-SIZE: 12pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">Thank you for the prompt response to my issue i've posed. In general what my major concern was if I enable user identification on Untrust interface just to get rid of the annoying warning message keeps popping up during the commit process, whether its going to add extra burden to the firewall by actively trying to resole internet addresses (Since its the Untrust interface) with my user-ip mappings stored on the appliance retrieved via active directory. I am pretty much confused why I am still getting this message even after I enable user identification to the Zone where my Global protect vpn tunnel bounded to.<BR /><BR />I am neither using HIP profiles to control users nor any other Global protect advanced features at the moment. But have configured Global protect to do authentication through a LDAP authentication profile which points to my AD.</SPAN></P><P><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; FONT-SIZE: 12pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"> </SPAN></P><P><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; FONT-SIZE: 12pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">Thanks</SPAN></P><P><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; FONT-SIZE: 12pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA"> </SPAN></P><P><SPAN style="FONT-FAMILY: 'Times New Roman','serif'; FONT-SIZE: 12pt; mso-fareast-font-family: Calibri; mso-fareast-theme-font: minor-latin; mso-ansi-language: EN-US; mso-fareast-language: EN-US; mso-bidi-language: AR-SA">Asanka</SPAN> </P><P></P><P></P><P></P><P></P></BODY></HTML> Mon, 16 Apr 2012 06:53:04 GMT https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19538#M14270 Asanka 2012-04-16T06:53:04Z https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19539#M14271 <HTML><HEAD></HEAD><BODY><P>Hello Asanka</P><P>I recommend not to enable to user-id on the untrust zone. This will have&nbsp; impact on performance. I dont have a number to quantify this.</P><P></P><P>Thank you</P><P>jerish</P></BODY></HTML> Mon, 16 Apr 2012 17:15:36 GMT https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19539#M14271 jpa 2012-04-16T17:15:36Z https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19540#M14272 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Thank you Jerish for your comment. But please let me know how to get rid of the warning message i get when ever i do the commit without enabling it?</P><P></P><P>Thanks</P><P></P><P>Asanka</P></BODY></HTML> Tue, 17 Apr 2012 15:44:57 GMT https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19540#M14272 Asanka 2012-04-17T15:44:57Z https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19541#M14273 <HTML><HEAD></HEAD><BODY><P>If you do not enable UserID on the Untrust interface with GP enabled, you will be prompted with that warning message each time you commit. </P><P></P><P>If you'd like get rid of the message, then you'd have to enable User Identification. It is your choice because without enabling UserID on the Untrust, you will be prompted with that Warning message each time</P></BODY></HTML> Thu, 19 Apr 2012 16:26:43 GMT https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19541#M14273 sjamaluddin 2012-04-19T16:26:43Z https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19542#M14274 <HTML><HEAD></HEAD><BODY><P>Would it be possible to implement some kind of "ignore these messages" so you wont get warnings you already know about (since a warning force you to read the commit popup just to find out you already knew that warning - compared to if no warning at all is displayed)?</P><P></P><P>Along with somewhere in the GUI where one could see a list of ignored warnings (and be able to re-enable that warning again)?</P></BODY></HTML> Thu, 19 Apr 2012 19:56:50 GMT https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19542#M14274 mikand 2012-04-19T19:56:50Z https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19543#M14275 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P><BR />At this time, the warnings generated while doing a commit cannot be removed and would be readable each time you commit to the device.</P><P>Also there is no option to hide those warnings and re-enabling them.</P><P>The idea was to make the user aware of the&nbsp; changes that were made to the configurations might impact the functionality.</P><P><BR />Regards,</P><P>Parth</P></BODY></HTML> Thu, 19 Apr 2012 21:12:11 GMT https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19543#M14275 ppatel 2012-04-19T21:12:11Z https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19544#M14276 <HTML><HEAD></HEAD><BODY><P>I had the exact same warning a few months back, what I did was enable user-identification on the untrust zone, but then also added 0.0.0.0/0 to the 'user-id excluded list' in the same window, this got rid of the error and also won't add load by trying to identify all untrust traffic.</P></BODY></HTML> Thu, 26 Apr 2012 13:35:35 GMT https://live.paloaltonetworks.com/t5/general-topics/warning-zone-untrust-does-not-have-enable-user-identification/m-p/19544#M14276 jrhjrh 2012-04-26T13:35:35Z