Warning: Zone 'Untrust' does not have 'enable-user-identification' turned on for globalprotect gateway 'tunnel'

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Warning: Zone 'Untrust' does not have 'enable-user-identification' turned on for globalprotect gateway 'tunnel'

L2 Linker

Hi,

I get above machine when i try to commit. Os version is 4.1.3. Do i have to enable the user-identification on untrust interface?

Please advice

Thanks

Asanka

1 accepted solution

Accepted Solutions

L4 Transporter

Hello Asanka

I recommend not to enable to user-id on the untrust zone. This will have  impact on performance. I dont have a number to quantify this.

Thank you

jerish

View solution in original post

10 REPLIES 10

L2 Linker

Yes, you have to enable User Identification, not only for identify your users in Inside but to enable VPN on Outside, it is mandatory.

Regards

Samuel

To clarify, the message is a 'Warning' and it can be disregarded if the GlobalProtect users do not need a user-ip-mapping.

In most all environments you will want to enable the user-identification feature on the GlobalProtect zone to receive user-ip-mappings for logged in users. These mappings can be used for source user based policy and visualization in logging and reporting.

- Stefan

To further clarify - my understanding is that enable-user-identification on untrust is only required if you are using HIP profiles to control access for your GP users ? is that the only reason you would need to enable it ?

Hi

Thank you for the prompt response to my issue i've posed. In general what my major concern was if I enable user identification on Untrust interface just to get rid of the annoying warning message keeps popping up during the commit process, whether its going to add extra burden to the firewall by actively trying to resole internet addresses (Since its the Untrust interface) with my user-ip mappings stored on the appliance retrieved via active directory. I am pretty much confused why I am still getting this message even after I enable user identification to the Zone where my Global protect vpn tunnel bounded to.

I am neither using HIP profiles to control users nor any other Global protect advanced features at the moment. But have configured Global protect to do authentication through a LDAP authentication profile which points to my AD.

Thanks

Asanka

L4 Transporter

Hello Asanka

I recommend not to enable to user-id on the untrust zone. This will have  impact on performance. I dont have a number to quantify this.

Thank you

jerish

Hi,

Thank you Jerish for your comment. But please let me know how to get rid of the warning message i get when ever i do the commit without enabling it?

Thanks

Asanka

If you do not enable UserID on the Untrust interface with GP enabled, you will be prompted with that warning message each time you commit.

If you'd like get rid of the message, then you'd have to enable User Identification. It is your choice because without enabling UserID on the Untrust, you will be prompted with that Warning message each time

Would it be possible to implement some kind of "ignore these messages" so you wont get warnings you already know about (since a warning force you to read the commit popup just to find out you already knew that warning - compared to if no warning at all is displayed)?

Along with somewhere in the GUI where one could see a list of ignored warnings (and be able to re-enable that warning again)?

Hi,


At this time, the warnings generated while doing a commit cannot be removed and would be readable each time you commit to the device.

Also there is no option to hide those warnings and re-enabling them.

The idea was to make the user aware of the  changes that were made to the configurations might impact the functionality.


Regards,

Parth

I had the exact same warning a few months back, what I did was enable user-identification on the untrust zone, but then also added 0.0.0.0/0 to the 'user-id excluded list' in the same window, this got rid of the error and also won't add load by trying to identify all untrust traffic.

  • 1 accepted solution
  • 6831 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!