I am running into an issue with Global Protect users due to remoting into other machines with other credentials. I have read extensive articles about the issue and understand that the firewall can only map one user name to an IP. That appears to be exactly what is happening., A user logs in and has internal connectivity, then logs into an RDP session. After logout that user has no connectivity due to the mapping being retained to the admin or service account. From what I gather, I need to exclude those accounts from user mapping. My uncertainty is in our setup. Our internal firewall has a server monitoring setup with all the remote DC's showing connected (Device / User Identification / User Mapping Tab / Server Monitoring). Each remote firewall under (Device / User Identification / User-Id Agents tab) has a mapping to the internal firewall. What I am looking for clarification on is whether I need to create the ignore user list on the internal firewall or each individual firewall. I would assume it would be the internal firewall but not 100 percent sure on this. Any help would be appreciated.