@BPry , @aleksandar.astardzhiev Dear all. Thanks for your answers! To be honest, I was reading the Best Practices article for securing User-ID and in many other places in PA doc, they warn not to enable User-ID in Internet / Untrusted zones. Having a closer look, the possible issue seems to be related more in regards to WMI probing (which is not enabled in my case)... Brute force attack should not be a problem since this is an OTP SecurID access that I would use in my Authentication Policy rule (BTY, I tested in from a DMZ zone, and I know that works fine). Still, by reading your answers, this does not seems to be a problem to your eyes enabling User-ID in the Internet / Untrusted zone. Or I am mistaken, and there is another way to have an attached Authentication Policy Rule without enabling User-ID for the Zone? My second issue is regarding the Captive Portal Redirect Host and SSL Service Profile... I originally built it for "Internal" use, and because there's only one Captive Portal setup I will have to re-create a proper Redirect Host / SSL Service Profile / Split DNS setup to have it accessible internally and externally. Thanks again for your suggestions. Regards. R.
... View more