User-ID Agent 8.0.9 RN

User‐ID™ Agent 8.
0 Release Notes
Release 8.0.9
Revision Date: May 2, 2018
Review important information about Palo Alto Networks Windows User‐ID agent 8.0 software releases,
including new features introduced in these releases, workarounds for open issues, and resolved issues. For
the most current version of these release notes, refer to the Technical Documentation portal.
For upgrade and downgrade considerations and for specific information about the upgrade path for a
firewall, refer to the Upgrade section of the PAN‐OS 8.0 New Features Guide.
User‐ID Agent 8.0 Release Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Features Introduced in User‐ID Agent 8.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Features Introduced in User‐ID Agent 8.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Features Introduced in User‐ID Agent 8.0.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Changes to Default Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Operating System (OS) Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
User‐ID Agent 8.0 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
User‐ID Agent 8.0.9 Addressed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
User‐ID Agent 8.0.2 Addressed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Requesting Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
© Palo Alto Networks, Inc. User‐ID Agent 8.0 Release Notes • 1
Table of Contents
2 • User‐ID Agent 8.0 Release Notes © Palo Alto Networks, Inc.
User‐ID Agent 8.0 Release Information
 Features Introduced in User‐ID Agent 8.0.1
 Changes to Default Behavior
 System Requirements
 Operating System (OS) Compatibility
 Known Issues
 User‐ID Agent 8.0 Addressed Issues
 Getting Help
Features Introduced in User‐ID Agent 8.0
Features Introduced in User‐ID Agent 8.0.1
The following feature is introduced in User‐ID Agent 8.0.1.
New User‐ID Agent Description
Feature
AirWatch MDM The Windows‐based User‐ID agent 8.0.1 release supports a new AirWatch MDM

Integration Integration service. This service enables GlobalProtect to use the host information
that the AirWatch service collects to enforce HIP‐based policies on devices managed
by AirWatch. As part of the User‐ID agent, the AirWatch MDM integration service
uses the AirWatch API to collect information from mobile devices that are managed
by VMware AirWatch and then translate this data into host information.
Features Introduced in User‐ID Agent 8.0 User‐ID Agent 8.0 Release Information
Features Introduced in User‐ID Agent 8.0.0
The following features are introduced in User‐ID Agent 8.0.0.
New User-ID Agent Description

Feature
Centralized Deployment You can now use endpoint management software such as Microsoft SCCM to remotely

and Management of install, configure, and upgrade multiple Windows‐based User‐ID agents and Terminal
User-ID and TS Agents Services (TS) agents in a single operation. Using endpoint management software
streamlines your workflow by enabling you to deploy and configure numerous User‐ID
and TS agents through an automated process instead of using a manual login session for
each agent.
User-ID Syslog The following enhancements improve the accuracy of User‐ID mappings and simplify

Monitoring monitoring of syslog servers for mapping information:
Enhancements • Remove IP address‐to‐username mappings through logout events—To improve the
accuracy of your user‐based policies and reports, the firewall can now use syslog
monitoring to detect when users have logged out and then delete the associated
User‐ID mappings.
• Multiple syslog formats—In environments with multiple points of authentication
sending syslog messages in different formats, it is now easier to monitor login and
logout events because the firewall can ingest multiple formats from a syslog server that
is aggregating input from various sources.
Configure Windows User Beginning with User‐ID agent 8.0, you can assign a custom certificate to Windows‐based

ID agent with your User‐ID agents from your enterprise PKI. This enables the firewall to confirm the identity
Enterprise Signed PKI of a Windows‐based User‐ID agent before accepting User‐ID information from the agent.
Certificate You deploy a custom certificate on the Windows‐based User‐ID agent and a certificate
profile on the firewall—one that contains the CA of the certificate—to establish a unique
trust chain between the two devices.
Additionally, this feature reintroduces support for XML API on Windows‐based User‐ID
agents.
User‐ID Agent 8.0 Release Information Changes to Default Behavior
Changes to Default Behavior
There are no changes to default behavior in this release.
System Requirements
The system where you install the User‐ID agent has the following minimum requirements:
 CPU—4 cores
 Hard disk space—10MB
 Memory—4GB RAM
Operating System (OS) Compatibility
You can install a User‐ID agent 8.0 release on a system running supported OS versions on host computers
and then connect the User‐ID agent to a directory server that is running a supported OS version to allow the
agent to monitor and obtain IP address‐to‐username mapping information.
The User‐ID agent is compatible with PAN‐OS 8.0 and earlier PAN‐OS releases that are still supported by
Palo Alto Networks. To see where you can install the User‐ID agent and which servers it can monitor, see
additional compatibility information in the Palo Alto Networks® Compatibility Matrix.
Known Issues User‐ID Agent 8.0 Release Information
Known Issues
The following table describes known issues in the User‐ID agent 8.0 Release.
For recent updates to known issues for a given PAN‐OS release, refer to
https://live.paloaltonetworks.com/t5/Articles/Critical‐Issues‐Addressed‐in‐PAN‐OS‐Releases/ta‐p/52882.
Issue ID Description
WINAGENT-244 The Windows‐based User‐ID agent does not detect users whose account name
This issue is now resolved. (sAMAccountName) contains a dollar ($) character that isn't at the end of the name.
See User-ID Agent 8.0.8
Addressed Issues.
WINAGENT-142 Test Connection (MDM Integration > Setup > Test Connection) for the MDM integration
This issue is now resolved. service returns a Test Failed message even when the integration service successfully
See User-ID Agent 8.0.2 connects to the AirWatch MDM service.
Addressed Issues. Workaround: Refer to the top‐level MDM Integration tab to view the correct connection
status.
WINAGENT-141 The MDM integration service of the Windows‐based User‐ID agent rejects connections
This issue is now resolved. from MDM event notification service if the IP Address of the MDM event notification
See User-ID Agent 8.0.3 service is not configured as a Permitted IP address (MDM Integration > Setup > Permitted
Addressed Issues. IP).
WINAGENT-133 The Windows‐based User‐ID agent has a memory leak while running the MDM
This issue is now resolved. Integration Service.
Addressed Issues.
WINAGENT-122 The Windows‐based User‐ID agent frequently resets its connection with a syslog sender,
This issue is now resolved. causing the sender to generate numerous connection failure logs and associated alerts.
Addressed Issues.
WINAGENT-109 The Windows‐based User‐ID agent attempts to contact the certificate store on the agent
This issue is now resolved. even though this step is not necessary when hashes match. As a result, authentication fails
See User-ID Agent 8.0.1 even for matching hash‐es when the certificate store on the agent is inaccessible.
Addressed Issues.
WINAGENT-90 The Windows‐based User‐ID agent running the MDM integration service can fail during
This issue is now resolved. startup and require a restart. This issue is caused by a Windows module (webio.dll)
See User-ID Agent 8.0.1 that faults and appears in Windows Event Viewer > Applications.
Addressed Issues.
WINAGENT-65 When the PAN‐OS XML API sends user mappings with no timeout value to a
This issue is now resolved. Windows‐based User‐ID agent, the agent sets the mappings timeout to never instead of
See User-ID Agent 8.0.2 applying the User Identification Timeout setting.
Addressed Issues.
User‐ID Agent 8.0 Addressed Issues
The following tables list the issues that are addressed in the Windows‐based User‐ID™ agent 8.0 releases.
For new features, associated software versions, known issues, or changes in default behavior, see User‐ID
Agent 8.0 Release Information.
 User‐ID Agent 8.0.9 Addressed Issues
User‐ID Agent 8.0.9 Addressed Issues
WINAGENT-355 Fixed an issue where a firewall integrated with the AirWatch Mobile Device Manager
(MDM) for GlobalProtect couldn't process Host Information Profile (HIP) reports that
it received from the Windows‐based User‐ID agent.
WINAGENT-312 Fixed an issue where the Windows‐based User‐ID agent stopped responding after it
connected to a Novell eDirectory server.
WINAGENT-304 Fixed an issue where the User‐ID credential service couldn't initiate password
replication for users whose common name (CN) contained a comma (",") or equal ("=")
character followed by a space.
WINAGENT-244 Fixed an issue where the Windows‐based User‐ID agent didn’t detect users whose
account name (sAMAccountName) contained a dollar ($) character that wasn't at the
end of the name.
WINAGENT-314 Fixed an issue where the Windows‐based User‐ID agent overrode usernames with
machine names in IP address‐to‐username mappings.
WINAGENT-263 Fixed an issue where starting the Windows‐based User‐ID agent caused CPU and
memory usage to spike on the host server. On a host server with less than 4GB of
RAM, the spike caused the User‐ID agent to lose connectivity.
WINAGENT-206 Fixed an issue where the Windows‐based User‐ID service displayed a credentials
error when an administrator tried to Commit changes after another administrator
configured a password for the User‐ID agent on the same Windows server.
WINAGENT-163 As an enhancement for collecting information about AirWatch‐managed endpoints,
the Host Information Profile (HIP) data that Windows‐based User‐ID agents send to
the GlobalProtect gateway now include the endpoint compliance status (compliant,
non‐compliant, or not available) and ownership information (employee owned,
corporate‐dedicated, or corporate‐shared).
WINAGENT-58 Fixed an issue where the Properties dialog (Windows) for the UaController.exe file
displayed the incorrect file version.
WINAGENT-243 Fixed an issue on the Windows‐based User‐ID agent where the MDM integration
service for VMware AirWatch stopped running while processing large host
information profile (HIP) reports. With this fix, the MDM integration service supports
HIP reports of up to 50KB; when necessary, GlobalProtect truncates the applications
list to ensure the report size remains within the maximum size.
WINAGENT-224 Fixed an issue where firewalls running PAN‐OS 6.1 could not connect to
Windows‐based User‐ID agents 8.0.4 and earlier versions because the agents did not
allow TLSv1.0 connections. With this fix, Windows‐based User‐ID agents 8.0.5 and
later versions allow TLSv1.0 connections with firewalls running PAN‐OS 6.1.
WINAGENT-220 Fixed an issue where the firewall incorrectly blocked URLs due to a higher than
expected rate of false positives when users entered non‐corporate passwords to
access websites after you configured the Windows‐based User‐ID agent to detect
credential submissions (User Identification > Setup > Edit > Credentials).
Issue Identifier Description
WINAGENT-34 Fixed an issue where the Windows User‐ID agent allowed weak ciphers for SSL/TLS
connections. With this fix, the Windows User‐ID agent allows only the following
ciphers for SSL/TLS connections:
• ECDHE‐ECDSA‐AES256‐GCM‐SHA384
• ECDHE‐RSA‐AES256‐GCM‐SHA384
• ECDHE‐RSA‐AES128‐GCM‐SHA256
• ECDHE‐ECDSA‐AES256‐SHA384
• ECDHE‐ECDSA‐AES128‐SHA256
• DHE‐RSA‐AES256‐SHA256
• DHE‐RSA‐AES128‐SHA256
• ECDHE‐RSA‐AES256‐SHA
• ECDHE‐ECDSA‐AES256‐SHA
• ECDHE‐RSA‐AES128‐SHA
• ECDHE‐ECDSA‐AES128‐SHA
• DHE‐RSA‐AES256‐SHA
• DHE‐RSA‐AES128‐SHA
• AES256‐SHA256
• AES256‐SHA
• AES128‐SHA256
• AES128‐SHA
WINAGENT-141 Fixed an issue where the MDM integration service of the Windows‐based User‐ID
agent rejected connections from the MDM event notification service when you did
not configure the IP address of the MDM event notification service as a Permitted
IP address (MDM Integration > Setup > Permitted IP).
PAN-68824 Fixed an issue where the Windows‐based User‐ID agent performed IP
address‐to‐username mapping for user accounts that were in the Ignore User list
(ignore_user_list.txt).
WINAGENT-142 Fixed an issue where the Test Connection option for the MDM integration service

returned a Test Failed message even when the integration service successfully
connected to the AirWatch MDM service (MDM Integration > Setup > Test
Connection).
WINAGENT-122 Fixed an issue where the Windows‐based User‐ID agent frequently reset its
connection with a syslog sender, causing the sender to generate numerous
connection failure logs and associated alerts.
WINAGENT-65 Fixed an issue where, when the PAN‐OS XML API sent user mappings with no
timeout value to a Windows‐based User‐ID agent, the agent set the mappings
timeout to never instead of applying the User Identification Timeout setting.
WINAGENT-133 Fixed an issue where the Windows‐based User‐ID agent had a memory leak while
running the MDM Integration Service.
WINAGENT-109 Fixed an issue where the Windows‐based User‐ID agent attempted to access the
certificate store on the agent even when hashes match, which caused authentication
to fail even for matching hashes if the certificate store on the agent was inaccessible.
WINAGENT-90 Fixed an issue where a Windows‐based User‐ID Agent running the MDM Integration
Service failed during startup due to a Windows module fault and required a restart.
PAN-60400 Fixed an issue where the username displayed as a concatenated string (username+IP
address) when learned from the User‐ID agent instead of through the firewall. With
this fix, the username displays correctly (without IP address).

Getting Help
The following topics provide information on where to find more about our products and how to request
support:
 Related Documentation
 Requesting Support
Related Documentation
Refer to the following documents on the Technical Documentation portal at
https://www.paloaltonetworks.com/documentation for more information about the Palo Alto
Next‐Generation Security Platform:
 PAN‐OS Administrator's Guide—Provides the concepts and solutions to get the most out of your Palo
Alto Networks next‐generation firewalls. This includes taking you through the initial configuration and
basic set up on your Palo Alto Networks firewalls.
 Palo Alto Networks Web Interface Reference Guide—Describes how to administer the Palo Alto
Networks firewall using the device's web interface. The guide is intended for system administrators
responsible for deploying, operating, and maintaining the firewall.
 Palo Alto Networks Compatibility Matrix—Provides operating system and other compatibility
information for Palo Alto Networks next‐generation firewalls, appliances, and agents, including where
you can install the User‐ID agent and which servers it can monitor.

Getting Help
Requesting Support
 For contacting support, for information on support programs, to manage your account or devices, or to
open a support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.
 For the most current PAN‐OS and Panorama 8.0 release notes, go to
https://www.paloaltonetworks.com/documentation/80/pan‐os/pan‐os‐release‐notes.html.
To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact‐support
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2017–2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of
our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks
mentioned herein may be trademarks of their respective companies.
Revision Date: May 2, 2018

User-ID Agent 8.0.9 RN

Încărcat de

Informații document

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

User-ID Agent 8.0.9 RN

Încărcat de

Drepturi de autor:

Formate disponibile

User‐ID™ Agent 8.

AirWatch MDM The Windows‐based User‐ID agent 8.0.1 release supports a new AirWatch MDM

New User-ID Agent Description

Centralized Deployment You can now use endpoint management software such as Microsoft SCCM to remotely

User-ID Syslog The following enhancements improve the accuracy of User‐ID mappings and simplify

Configure Windows User Beginning with User‐ID agent 8.0, you can assign a custom certificate to Windows‐based

WINAGENT-142 Fixed an issue where the Test Connection option for the MDM integration service

10 • User‐ID Agent 8.0 Release Notes © Palo Alto Networks, Inc.

© Palo Alto Networks, Inc. User‐ID Agent 8.0 Release Notes • 11

12 • User‐ID Agent 8.0 Release Notes © Palo Alto Networks, Inc.

S-ar putea să vă placă și