You can now relay user mapping information from
one firewall to another in a sequence of up to ten hops instead
of one. This increase in the relay sequence enables you to redistribute
mapping information in a network that has hundreds of user identification
sources or that has users who rely on local sources for authentication
(for example, regional directory services) but who need access to
remote resources (for example, global data center applications).
Ignore User List Configurable in Web Interface
For the PAN-OS integrated User-ID agent, you
can now use the firewall web interface as an alternative to the
CLI to configure the ignore user list,
which specifies the user accounts that don’t require IP address-to-username
mapping (for example, kiosk accounts). Using the web interface is
easier and reduces the chance of errors that might compromise the
enforcement of user-based policies.
User Group Capacity Increase
On a PA-5060 or PA-7000 Series firewall with
a single virtual system, you can now base policies on up to 3,200
distinct user groups instead of 640. This ensures continued
security on networks that use a large number of groups to control
access to resources.