User-id with internal portal

Showing results for 
Show  only  | Search instead for 
Did you mean: 

User-id with internal portal

L1 Bithead

Hello community,

I have just started my journey to PA world and spend several days configuring global protect features.

I successfully configured portal for as internal point of connection for Global protect client.

Idea is to provide User-id information to firewall without VPN connection.


As result my GP client tells me that "you are connected to internal network" but under PA device I don't see user<->ip information. User-id based rules don't work. no information from "show user ip-user-mapping all."

1. Are there any additional steps required to enable User-id features. I enable it only at security zone level.

2. Would it be possible to have one portal but two gateways (ext, int) for internal (user-id provisioning only )  and external (vpnssl)  deployments. Or there are two portals external / internal are required ?


Thanks in advice !


Cyber Elite
Cyber Elite


1) Did you remember to enable user-id on the GlobalProtect interface? 

2) You can use the same gateway for Internal/External connections without issue. 

Do you mean interface where portal is hosted ! 

Thanks for reply ! 

That's correct. Say for example I'm using the interface ethernet1/2 for the internal gateway and you have that assigned to the default 'trust' zone, you'll need to ensure that you have user ID enabled for the zone. 

L2 Linker

So I believe you're looking for how to authenticate logged in users whether they're outside or inside. I've spent 2 ways on how to do it, the documentation is not describing it clearly. You need to have 2 gateways for this, one external, and one internal one. The internal gateway can be your firewall interface inside IP address, the main trick is here:

this IP must be resolvable into your internal hostname you specified in the portal config in both ways: in the direct internal DNS resolution, and also reversed DNS resolution.


In my example I have the inside L3 interface with the IP In my internal DNS there is an A record pointing to this IP, and ALSO there is reversed zone arpa.1.168.192 that resolves .1 into


The gateway config is here:





And then the portal config is here:



Internal Gateway:



And after that your GlobalProtect should be able to get your user authenticated straight away.




And yes, it's very important: All this is working in "Always-On" mode only!!! At least in my case.

Hope this helps.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!