Warning: Zone 'Untrust' does not have 'enable-user-identification' turned on for globalprotect gateway 'tunnel'

To clarify, the message is a 'Warning' and it can be disregarded if the GlobalProtect users do not need a user-ip-mapping.

In most all environments you will want to enable the user-identification feature on the GlobalProtect zone to receive user-ip-mappings for logged in users. These mappings can be used for source user based policy and visualization in logging and reporting.

- Stefan

To further clarify - my understanding is that enable-user-identification on untrust is only required if you are using HIP profiles to control access for your GP users ? is that the only reason you would need to enable it ?

Hi

Thank you for the prompt response to my issue i've posed. In general what my major concern was if I enable user identification on Untrust interface just to get rid of the annoying warning message keeps popping up during the commit process, whether its going to add extra burden to the firewall by actively trying to resole internet addresses (Since its the Untrust interface) with my user-ip mappings stored on the appliance retrieved via active directory. I am pretty much confused why I am still getting this message even after I enable user identification to the Zone where my Global protect vpn tunnel bounded to.

I am neither using HIP profiles to control users nor any other Global protect advanced features at the moment. But have configured Global protect to do authentication through a LDAP authentication profile which points to my AD.

Thanks

Asanka

Hi,

Thank you Jerish for your comment. But please let me know how to get rid of the warning message i get when ever i do the commit without enabling it?

Thanks

Asanka

If you do not enable UserID on the Untrust interface with GP enabled, you will be prompted with that warning message each time you commit.

If you'd like get rid of the message, then you'd have to enable User Identification. It is your choice because without enabling UserID on the Untrust, you will be prompted with that Warning message each time

Would it be possible to implement some kind of "ignore these messages" so you wont get warnings you already know about (since a warning force you to read the commit popup just to find out you already knew that warning - compared to if no warning at all is displayed)?

Along with somewhere in the GUI where one could see a list of ignored warnings (and be able to re-enable that warning again)?

Hi,

At this time, the warnings generated while doing a commit cannot be removed and would be readable each time you commit to the device.

Also there is no option to hide those warnings and re-enabling them.

The idea was to make the user aware of the  changes that were made to the configurations might impact the functionality.

Regards,

Parth

I had the exact same warning a few months back, what I did was enable user-identification on the untrust zone, but then also added 0.0.0.0/0 to the 'user-id excluded list' in the same window, this got rid of the error and also won't add load by trying to identify all untrust traffic.