User-ID™ Agent 8.1 Release Notes Release 8.1.2 paloaltonetworks.com/documentation Contact Information Corporate Headquarters: Palo Alto Networks 3000 Tannery Way Santa Clara, CA 95054 www.paloaltonetworks.com/company/contact-support About the Documentation • For the most recent version of this guide or for access to related documentation, visit the Technical Documentation portal www.paloaltonetworks.com/documentation. • To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/ document-search.html. • Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at documentation@paloaltonetworks.com. Copyright Palo Alto Networks, Inc. www.paloaltonetworks.com © 2018-2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/ trademarks.html. All other marks mentioned herein may be trademarks of their respective companies. Last Revised July 16, 2018 2 USER-ID™ AGENT 8.1 RELEASE NOTES | Table of Contents User-ID Agent 8.1 Release Information........................................................ 5 Features Introduced in User-ID Agent 8.1........................................................................................... 7 Changes to Default Behavior................................................................................................................... 8 System Requirements.................................................................................................................................9 Operating System (OS) Compatibility.................................................................................................. 10 Known Issues............................................................................................................................................. 11 User-ID Agent 8.1 Addressed Issues................................................................................................... 12 User-ID Agent 8.1.2 Addressed Issues...................................................................................12 User-ID Agent 8.1.1 Addressed Issues...................................................................................12 User-ID Agent 8.1.0 Addressed Issues...................................................................................13 Getting Help.......................................................................................................15 Related Documentation...........................................................................................................................17 Requesting Support.................................................................................................................................. 18 TABLE OF CONTENTS iii iv TABLE OF CONTENTS User-ID Agent 8.1 Release Information Revision Date: July 16, 2018 Review important information about Palo Alto Networks® Windows-based User-ID™ agent software, including new features introduced, workarounds for open issues, and issues that are addressed in User-ID agent 8.1 releases. To ensure that you are viewing the most current version of these Release Notes, always defer to the web version; do not store or rely on PDFs to be current after you download them. > > > > > > > Features Introduced in User-ID Agent 8.1 Changes to Default Behavior System Requirements Operating System (OS) Compatibility Known Issues User-ID Agent 8.1 Addressed Issues Getting Help 5 6 USER-ID™ AGENT 8.1 RELEASE NOTES | User-ID Agent 8.1 Release Information © 2018 Palo Alto Networks, Inc. Features Introduced in User-ID Agent 8.1 The Windows-based User-ID™ Agent 8.1 release includes the following new feature. New User-ID Agent Feature Description Support for Multiple Username Formats When a user logs on to multiple services with different usernames, User-ID sources send these usernames in multiple formats (for example, jane.doe@domain.com, DOMAIN\jdoe, and jdoe). In this case, it can be difficult to uniquely identify the user. To help you identify and consistently enforce policy for these users, you can now configure the firewall to fetch multiple attributes from an LDAP-compliant directory. For more information, refer to the PAN-OS® 8.1 New Features Guide. USER-ID™ AGENT 8.1 RELEASE NOTES | User-ID Agent 8.1 Release Information © 7 2018 Palo Alto Networks, Inc. Changes to Default Behavior The Windows-based User-ID™ Agent 8.1 release has the following changes to default behavior. Feature Change Support for Multiple Username Formats • Since multiple username attributes are supported, you must select the Primary Username attribute that you want to use for user identification. • Previously, the firewall normalized usernames received from User-ID sources (such as an LDAP directory) to the domain\username format. In PAN-OS® 8.1, when the Primary Username is in UPN format, it will not be normalized as in previous PAN-OS versions. As a result, usernames are displayed in their original format (for example, username@domain). 8 USER-ID™ AGENT 8.1 RELEASE NOTES | User-ID Agent 8.1 Release Information © 2018 Palo Alto Networks, Inc. System Requirements The system where you install the Windows-based User-ID™ agent 8.1 release has the following minimum requirements: • CPU—4 cores • Hard disk space—10MB • Memory—4GB RAM USER-ID™ AGENT 8.1 RELEASE NOTES | User-ID Agent 8.1 Release Information © 9 2018 Palo Alto Networks, Inc. Operating System (OS) Compatibility You can install a Windows-based User-ID™ agent 8.1 release on a host computer that is running a supported OS version and then connect the User-ID agent to a directory server that is also running a supported OS version to enable the agent to monitor and obtain IP address-to-username mapping information. The User-ID agent is compatible with PAN-OS® 8.1 and earlier PAN-OS releases that Palo Alto Networks® still supports. To see where you can install the User-ID agent and which servers it can monitor, see additional compatibility information in the Palo Alto Networks Compatibility Matrix. 10 USER-ID™ AGENT 8.1 RELEASE NOTES | User-ID Agent 8.1 Release Information © 2018 Palo Alto Networks, Inc. Known Issues The following table describes known issues in the Windows-based User-ID™ agent 8.1 release. For recent updates to known issues for a given PAN-OS® release, refer to https:// live.paloaltonetworks.com/t5/Articles/Critical-Issues-Addressed-in-PAN-OS-Releases/tap/52882. Issue ID Description WINAGENT-398 When the User-ID agent restarts, it loads the existing IP address-tousername mappings but with an incorrect username value if the username has a space. The ability to fetch IP address-to-username mappings from AD or other sources is not impacted even when usernames have a space. WINAGENT-269 After receiving machine account names in UPN format from a Windowsbased User-ID agent, the firewall misidentifies them as user accounts and overrides usernames with machine names in IP address-to-username mappings. This issue is now resolved. See User-ID Agent 8.1.1 Addressed Issues. USER-ID™ AGENT 8.1 RELEASE NOTES | User-ID Agent 8.1 Release Information © 11 2018 Palo Alto Networks, Inc. User-ID Agent 8.1 Addressed Issues The following tables list the issues that are fixed in Windows-based User-ID™ agent 8.1 releases. For new features, associated software versions, known issues, or changes in default behavior, see User-ID Agent 8.1 Release Information. • User-ID Agent 8.1.2 Addressed Issues • User-ID Agent 8.1.1 Addressed Issues • User-ID Agent 8.1.0 Addressed Issues For recent updates to addressed issues for a given PAN-OS® release, refer to https:// live.paloaltonetworks.com/t5/Articles/Critical-Issues-Addressed-in-PAN-OS-Releases/tap/52882. User-ID Agent 8.1.2 Addressed Issues Issue Description WINAGENT-355 Fixed an issue where a firewall integrated with the AirWatch Mobile Device Manager (MDM) for GlobalProtect™ couldn't process Host Information Profile (HIP) reports received from the Windowsbased User-ID agent. WINAGENT-343 Fixed an issue where the User-ID credential agent failed to recognize users that were included in the Domain Users group after adding the group to the Allowed RODC Password Replication Group. With this fix, the group ID is correctly added to the LDAP query and the agent correctly recognizes users in the Domain Users group. WINAGENT-301 Fixed an issue where the User-ID agent incorrectly added a backslash ( "\" ) character when mapping and sending a username (with no associated domain) to the firewall. User-ID Agent 8.1.1 Addressed Issues Issue Description WINAGENT-269 Fixed an issue where, after receiving machine account names in UPN format from a Windowsbased User-ID agent, the firewall misidentified them as user accounts and overrode usernames with machine names in IP address-to-username mappings. WINAGENT-224 Fixed an issue where firewalls running PAN-OS 6.1 couldn’t connect to Windows-based User-ID 12 USER-ID™ AGENT 8.1 RELEASE NOTES | User-ID Agent 8.1 Release Information © 2018 Palo Alto Networks, Inc. Issue Description agent 8.1.0 because the agent didn’t allow TLSv1.0 connections. With this fix, User-ID agent 8.1.1 and later versions allow TLSv1.0 connections with firewalls running PAN-OS 6.1. User-ID Agent 8.1.0 Addressed Issues The Windows-based User-ID Agent 8.1.0 release has no addressed issues. USER-ID™ AGENT 8.1 RELEASE NOTES | User-ID Agent 8.1 Release Information © 13 2018 Palo Alto Networks, Inc. 14 USER-ID™ AGENT 8.1 RELEASE NOTES | User-ID Agent 8.1 Release Information Getting Help The following topics provide information on where to find more about our products and how to request support: > Related Documentation > Requesting Support 15 16 USER-ID™ AGENT 8.1 RELEASE NOTES | Getting Help © 2018 Palo Alto Networks, Inc. Related Documentation Refer to the following PAN-OS® 8.1 documentation on the Technical Documentation portal at https:// www.paloaltonetworks.com/documentation for more information about the Palo Alto Networks® NextGeneration Security Platform: • PAN-OS 8.1 Administrator’s Guide—Provides the concepts and solutions to get the most out of your Palo Alto Networks next-generation firewalls. This includes taking you through the initial configuration and basic set up on your Palo Alto Networks firewalls. • PAN-OS 8.1 Web Interface Reference Guide—Describes how to administer the Palo Alto Networks firewall using the web interface. The guide is intended for system administrators responsible for deploying, operating, and maintaining the firewall. • Palo Alto Networks Compatibility Matrix—Provides operating system and other compatibility information for Palo Alto Networks next-generation firewalls, appliances, and agents, including where you can install the User-ID™ agent and which servers it can monitor. USER-ID™ AGENT 8.1 RELEASE NOTES | Getting Help © 17 2018 Palo Alto Networks, Inc. Requesting Support For contacting support, for information on support programs, to manage your account or appliances, or to open a support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html. For the most current PAN-OS® and Panorama™ 8.1 release notes, go to https:// www.paloaltonetworks.com/documentation/81/pan-os/pan-os-release-notes.html. To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com. 18 USER-ID™ AGENT 8.1 RELEASE NOTES | Getting Help