1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. User-ID Features
    5. User Group Capacity Increase
    Previous
    Next
    On PA-5060 and PA-7000 Series firewalls that are configured without multiple virtual systems (feature is disabled), you can now base policies on up to 3,200 distinct user groups instead of 640. This ensures continued security on networks that use a large number of groups to control access to resources.
    Configure a Group-Based Policy Rule on a PA-5060 or PA-7000 Series Firewall
    Disable the multiple virtual systems capability if it is currently enabled. Select Device > Setup > Management and edit the General Settings. Clear Multi Virtual System Capability and click OK.
    Add an LDAP server profile. Select Device > Server Profiles > LDAP, click Add, and enter a Profile Name. For each LDAP server (up to four), click Add and enter the server Name, IP address ( LDAP Server), and Port (default is 389). Select the Type of servers you added (for example, active-directory); all servers in any single LDAP server profile must be the same Type. Click OK.
    Configure group mapping. Select Device > User Identification > Group Mapping Settings and click Add. Enter a unique Name to identify the group mapping configuration. Configure the Server Profile settings: Select the LDAP Server Profile you just created. Select Enabled (default). Do not add entries to the Group Include List or Custom Group list—doing so limits the number of groups that policy rules can reference. Populated lists can have a combined maximum of only 640 groups but, by default, leaving the lists empty enables policy rules to reference up to a maximum of 3,200 groups. Click OK.
    Enable User-ID on the source zones that contain the users who will request resources that are subject to group-based access control. Select Network > Zones and click the zone Name to edit the zone. Select Enable User Identification and click OK.
    Configure a group-based policy rule. Perform these steps for each rule that references user groups. Collectively, all the rules of all policy types on the firewall can reference up to 3,200 distinct groups. Select Policies > Security and click Add. Enter a Name to identify the rule. Select the User tab and, for each user group to match in the rule, click Add in the Source User section and select the group. Configure the rest of the rule as appropriate. Click OK and Commit. If you later decide to enable multiple virtual systems on the firewall that you configured in this procedure, you must first reduce the number of distinct groups to 640. After you enable and add multiple virtual systems, the policies can then reference another 640 groups for each additional virtual system.
    Previous
    Next

    Related Documentation

    Enable Group Mapping

    Enable Group Mapping Because the agent or app running on your end-user systems requires the user to successfully authenticate before being granted access to GlobalProtect, ...

    Device > Setup > Management

    Device > Setup > Management Device > Setup > Management Panorama > Setup > Management On a firewall, select Device > Setup > Management to ...

    Device > User Identification > Group Mapping Settings

    Device > User Identification > Group Mapping Settings To base security policies on user or group, the firewall must retrieve the list of groups and ...

    Upgrade/Downgrade Considerations

    Upgrade/Downgrade Considerations Table: PAN-OS 7.1 Upgrade/Downgrade Considerations lists the new features that have upgrade or downgrade impacts. Make sure you understand all potential changes before ...

    Remote Access VPN with Pre-Logon

    Remote Access VPN with Pre-Logon Pre-logon is a connect method that establishes a VPN tunnel before a user logs in. The purpose of pre-logon is ...

    Device > Server Profiles > LDAP

    Device > Server Profiles > LDAP Device > Server Profiles > LDAP Panorama > Server Profiles > LDAP Select Device > Server Profiles > LDAP ...

    Policies > Security

    Policies > Security Security policies reference security zones and enable you to allow, restrict, and track traffic on your network based on the application, user ...

    Use Case: Configure Firewalls Using Panorama

    Use Case: Configure Firewalls Using Panorama Let’s say that you want to use Panorama in a high availability configuration to manage a dozen firewalls on ...

    Device > Authentication Profile

    Device > Authentication Profile Device > Authentication Profile Panorama > Authentication Profile Select Device > Authentication Profile or Panorama > Authentication Profile to configure authentication ...

    Define Policies on the NSX Manager

    Define Policies on the NSX Manager In order for the VM-Series firewall to secure the traffic, you must complete the following tasks: Set Up Security ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo