User Group Capacity Increase
On PA-5060 and PA-7000 Series firewalls that are configured without multiple virtual systems (feature is disabled), you can now base policies on up to 3,200 distinct user groups instead of 640. This ensures continued security on networks that use a large number of groups to control access to resources.
Configure a Group-Based Policy Rule on a PA-5060 or PA-7000 Series Firewall
Disable the multiple virtual systems capability if it is currently enabled. Select Device > Setup > Management and edit the General Settings. Clear Multi Virtual System Capability and click OK.
Add an LDAP server profile. Select Device > Server Profiles > LDAP, click Add, and enter a Profile Name. For each LDAP server (up to four), click Add and enter the server Name, IP address ( LDAP Server), and Port (default is 389). Select the Type of servers you added (for example, active-directory); all servers in any single LDAP server profile must be the same Type. Click OK.
Configure group mapping. Select Device > User Identification > Group Mapping Settings and click Add. Enter a unique Name to identify the group mapping configuration. Configure the Server Profile settings: Select the LDAP Server Profile you just created. Select Enabled (default). Do not add entries to the Group Include List or Custom Group list—doing so limits the number of groups that policy rules can reference. Populated lists can have a combined maximum of only 640 groups but, by default, leaving the lists empty enables policy rules to reference up to a maximum of 3,200 groups. Click OK.
Enable User-ID on the source zones that contain the users who will request resources that are subject to group-based access control. Select Network > Zones and click the zone Name to edit the zone. Select Enable User Identification and click OK.
Configure a group-based policy rule. Perform these steps for each rule that references user groups. Collectively, all the rules of all policy types on the firewall can reference up to 3,200 distinct groups. Select Policies > Security and click Add. Enter a Name to identify the rule. Select the User tab and, for each user group to match in the rule, click Add in the Source User section and select the group. Configure the rest of the rule as appropriate. Click OK and Commit. If you later decide to enable multiple virtual systems on the firewall that you configured in this procedure, you must first reduce the number of distinct groups to 640. After you enable and add multiple virtual systems, the policies can then reference another 640 groups for each additional virtual system.

Related Documentation