Endpoint Identification Profiles

Endpoint Identification identifies which IPv4 address belongs to which user. This allows a method of user identification to be built using an IPv4 address-to-user mapping cache for policy matching.

By default, Endpoint Identification cannot automatically identify IPv4 addresses. You must specify which IP addresses or IP address ranges to use when using Endpoint Identification. If a source IPv4 address is not in the defined ranges within the defined address objects, the IPv4 address will not work for Endpoint Identification.

If Cloud Edge cannot associate the user with an IPv4 address, Captive Portal can take over and authenticate the user with a web form (if enabled).


Endpoint Identification mapping requires that the firewall obtain the source IPv4 address of the user before the IPv4 address is translated with NAT. If multiple users appear to have the same source address, due to NAT or use of a proxy device, accurate user identification is not possible.


IPv6 addresses cannot be used for Endpoint Identification. For IPv6 traffic, the Captive Portal page does not open and IPv6 traffic will pass. Keep the following in mind when configuring Endpoint Identification profiles:

  • In a pure IPv4 environment, Endpoint Identification works normally.
  • In a mixed IPv4 and IPv6 environment, IPv4 traffic triggers Endpoint Identification, but IPv6 traffic does not trigger Endpoint Identification.
  • In a pure IPv6 environment, IPv6 traffic does not trigger Endpoint Identification.