Learn about the new User-ID™ features in PAN-OS 9.1.
New User-ID Feature
Include Username in HTTP Header Insertion
Allows the firewall to relay a user’s identity
when they are accessing your network through secondary security
appliances that are connected to your Palo Alto Networks firewall.
You can configure your firewall to include the username in the HTTP header
so that other security appliances in your network can identify the
user without additional infrastructure (such as proxies used to
insert the username). This simplifies deployment, reduces page-load
latency, and eliminates multiple authentications for users.
Dynamic User Groups
You can now use tags to dynamically group
users and automate security, decryption, or authentication actions
for the group based on user behavior (such as downloading risky software).
You can gather information from security sources such as Cortex
XDR, User and Entity Behavior Analytics (UEBA), or Security Information
and Event Management (SIEM) and use that data to determine a user’s
risk level. By using these sources to gain a more comprehensive
view of the user’s risk level than provided by directory attributes,
the firewall can now interpret user and device information to define
user groups that mitigate threats and vulnerabilities regardless
of the user’s device or location. These tag-based groups can also
provide temporary access for users who need temporary privilege escalation
to fix an issue on a production system they wouldn’t normally have
access to without requiring you to create rules or modify directories.