Documente Academic
Documente Profesional
Documente Cultură
0 Release Notes
Release 8.0.9
Revision Date: May 2, 2018
Review important information about Palo Alto Networks Windows User‐ID agent 8.0 software releases,
including new features introduced in these releases, workarounds for open issues, and resolved issues. For
the most current version of these release notes, refer to the Technical Documentation portal.
For upgrade and downgrade considerations and for specific information about the upgrade path for a
firewall, refer to the Upgrade section of the PAN‐OS 8.0 New Features Guide.
User‐ID Agent 8.0 Release Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Features Introduced in User‐ID Agent 8.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Features Introduced in User‐ID Agent 8.0.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Features Introduced in User‐ID Agent 8.0.0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Changes to Default Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Operating System (OS) Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Known Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
User‐ID Agent 8.0 Addressed Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
User‐ID Agent 8.0.9 Addressed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
User‐ID Agent 8.0.8 Addressed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
User‐ID Agent 8.0.7 Addressed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
User‐ID Agent 8.0.6 Addressed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
User‐ID Agent 8.0.5 Addressed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
User‐ID Agent 8.0.4 Addressed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
User‐ID Agent 8.0.3 Addressed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
User‐ID Agent 8.0.2 Addressed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
User‐ID Agent 8.0.1 Addressed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
User‐ID Agent 8.0.0 Addressed Issues. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Getting Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Requesting Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
© Palo Alto Networks, Inc. User‐ID Agent 8.0 Release Notes • 1
Table of Contents
2 • User‐ID Agent 8.0 Release Notes © Palo Alto Networks, Inc.
User‐ID Agent 8.0 Release Information
Features Introduced in User‐ID Agent 8.0.1
Features Introduced in User‐ID Agent 8.0.0
Changes to Default Behavior
System Requirements
Operating System (OS) Compatibility
Known Issues
User‐ID Agent 8.0 Addressed Issues
Getting Help
Features Introduced in User‐ID Agent 8.0
Features Introduced in User‐ID Agent 8.0.1
Features Introduced in User‐ID Agent 8.0.0
Features Introduced in User‐ID Agent 8.0.1
The following feature is introduced in User‐ID Agent 8.0.1.
New User‐ID Agent Description
Feature
© Palo Alto Networks, Inc. User‐ID Agent 8.0 Release Notes • 3
Features Introduced in User‐ID Agent 8.0 User‐ID Agent 8.0 Release Information
Features Introduced in User‐ID Agent 8.0.0
The following features are introduced in User‐ID Agent 8.0.0.
4 • User‐ID Agent 8.0 Release Notes © Palo Alto Networks, Inc.
User‐ID Agent 8.0 Release Information Changes to Default Behavior
Changes to Default Behavior
There are no changes to default behavior in this release.
System Requirements
The system where you install the User‐ID agent has the following minimum requirements:
CPU—4 cores
Hard disk space—10MB
Memory—4GB RAM
Operating System (OS) Compatibility
You can install a User‐ID agent 8.0 release on a system running supported OS versions on host computers
and then connect the User‐ID agent to a directory server that is running a supported OS version to allow the
agent to monitor and obtain IP address‐to‐username mapping information.
The User‐ID agent is compatible with PAN‐OS 8.0 and earlier PAN‐OS releases that are still supported by
Palo Alto Networks. To see where you can install the User‐ID agent and which servers it can monitor, see
additional compatibility information in the Palo Alto Networks® Compatibility Matrix.
© Palo Alto Networks, Inc. User‐ID Agent 8.0 Release Notes • 5
Known Issues User‐ID Agent 8.0 Release Information
Known Issues
The following table describes known issues in the User‐ID agent 8.0 Release.
For recent updates to known issues for a given PAN‐OS release, refer to
https://live.paloaltonetworks.com/t5/Articles/Critical‐Issues‐Addressed‐in‐PAN‐OS‐Releases/ta‐p/52882.
Issue ID Description
WINAGENT-244 The Windows‐based User‐ID agent does not detect users whose account name
This issue is now resolved. (sAMAccountName) contains a dollar ($) character that isn't at the end of the name.
See User-ID Agent 8.0.8
Addressed Issues.
WINAGENT-142 Test Connection (MDM Integration > Setup > Test Connection) for the MDM integration
This issue is now resolved. service returns a Test Failed message even when the integration service successfully
See User-ID Agent 8.0.2 connects to the AirWatch MDM service.
Addressed Issues. Workaround: Refer to the top‐level MDM Integration tab to view the correct connection
status.
WINAGENT-141 The MDM integration service of the Windows‐based User‐ID agent rejects connections
This issue is now resolved. from MDM event notification service if the IP Address of the MDM event notification
See User-ID Agent 8.0.3 service is not configured as a Permitted IP address (MDM Integration > Setup > Permitted
Addressed Issues. IP).
WINAGENT-133 The Windows‐based User‐ID agent has a memory leak while running the MDM
This issue is now resolved. Integration Service.
See User-ID Agent 8.0.1
Addressed Issues.
WINAGENT-122 The Windows‐based User‐ID agent frequently resets its connection with a syslog sender,
This issue is now resolved. causing the sender to generate numerous connection failure logs and associated alerts.
See User-ID Agent 8.0.2
Addressed Issues.
WINAGENT-109 The Windows‐based User‐ID agent attempts to contact the certificate store on the agent
This issue is now resolved. even though this step is not necessary when hashes match. As a result, authentication fails
See User-ID Agent 8.0.1 even for matching hash‐es when the certificate store on the agent is inaccessible.
Addressed Issues.
WINAGENT-90 The Windows‐based User‐ID agent running the MDM integration service can fail during
This issue is now resolved. startup and require a restart. This issue is caused by a Windows module (webio.dll)
See User-ID Agent 8.0.1 that faults and appears in Windows Event Viewer > Applications.
Addressed Issues.
WINAGENT-65 When the PAN‐OS XML API sends user mappings with no timeout value to a
This issue is now resolved. Windows‐based User‐ID agent, the agent sets the mappings timeout to never instead of
See User-ID Agent 8.0.2 applying the User Identification Timeout setting.
Addressed Issues.
6 • User‐ID Agent 8.0 Release Notes © Palo Alto Networks, Inc.
User‐ID Agent 8.0 Addressed Issues
The following tables list the issues that are addressed in the Windows‐based User‐ID™ agent 8.0 releases.
For new features, associated software versions, known issues, or changes in default behavior, see User‐ID
Agent 8.0 Release Information.
User‐ID Agent 8.0.9 Addressed Issues
User‐ID Agent 8.0.8 Addressed Issues
User‐ID Agent 8.0.7 Addressed Issues
User‐ID Agent 8.0.6 Addressed Issues
User‐ID Agent 8.0.5 Addressed Issues
User‐ID Agent 8.0.4 Addressed Issues
User‐ID Agent 8.0.3 Addressed Issues
User‐ID Agent 8.0.2 Addressed Issues
User‐ID Agent 8.0.1 Addressed Issues
User‐ID Agent 8.0.0 Addressed Issues
User‐ID Agent 8.0.9 Addressed Issues
Issue ID Description
WINAGENT-355 Fixed an issue where a firewall integrated with the AirWatch Mobile Device Manager
(MDM) for GlobalProtect couldn't process Host Information Profile (HIP) reports that
it received from the Windows‐based User‐ID agent.
WINAGENT-312 Fixed an issue where the Windows‐based User‐ID agent stopped responding after it
connected to a Novell eDirectory server.
WINAGENT-304 Fixed an issue where the User‐ID credential service couldn't initiate password
replication for users whose common name (CN) contained a comma (",") or equal ("=")
character followed by a space.
User‐ID Agent 8.0.8 Addressed Issues
Issue ID Description
WINAGENT-244 Fixed an issue where the Windows‐based User‐ID agent didn’t detect users whose
account name (sAMAccountName) contained a dollar ($) character that wasn't at the
end of the name.
© Palo Alto Networks, Inc. User‐ID Agent 8.0 Release Notes • 7
User‐ID Agent 8.0 Addressed Issues
User‐ID Agent 8.0.7 Addressed Issues
Issue ID Description
WINAGENT-314 Fixed an issue where the Windows‐based User‐ID agent overrode usernames with
machine names in IP address‐to‐username mappings.
User‐ID Agent 8.0.6 Addressed Issues
Issue ID Description
WINAGENT-263 Fixed an issue where starting the Windows‐based User‐ID agent caused CPU and
memory usage to spike on the host server. On a host server with less than 4GB of
RAM, the spike caused the User‐ID agent to lose connectivity.
WINAGENT-206 Fixed an issue where the Windows‐based User‐ID service displayed a credentials
error when an administrator tried to Commit changes after another administrator
configured a password for the User‐ID agent on the same Windows server.
WINAGENT-163 As an enhancement for collecting information about AirWatch‐managed endpoints,
the Host Information Profile (HIP) data that Windows‐based User‐ID agents send to
the GlobalProtect gateway now include the endpoint compliance status (compliant,
non‐compliant, or not available) and ownership information (employee owned,
corporate‐dedicated, or corporate‐shared).
WINAGENT-58 Fixed an issue where the Properties dialog (Windows) for the UaController.exe file
displayed the incorrect file version.
User‐ID Agent 8.0.5 Addressed Issues
Issue ID Description
WINAGENT-243 Fixed an issue on the Windows‐based User‐ID agent where the MDM integration
service for VMware AirWatch stopped running while processing large host
information profile (HIP) reports. With this fix, the MDM integration service supports
HIP reports of up to 50KB; when necessary, GlobalProtect truncates the applications
list to ensure the report size remains within the maximum size.
WINAGENT-224 Fixed an issue where firewalls running PAN‐OS 6.1 could not connect to
Windows‐based User‐ID agents 8.0.4 and earlier versions because the agents did not
allow TLSv1.0 connections. With this fix, Windows‐based User‐ID agents 8.0.5 and
later versions allow TLSv1.0 connections with firewalls running PAN‐OS 6.1.
WINAGENT-220 Fixed an issue where the firewall incorrectly blocked URLs due to a higher than
expected rate of false positives when users entered non‐corporate passwords to
access websites after you configured the Windows‐based User‐ID agent to detect
credential submissions (User Identification > Setup > Edit > Credentials).
8 • User‐ID Agent 8.0 Release Notes © Palo Alto Networks, Inc.
User‐ID Agent 8.0 Addressed Issues
User‐ID Agent 8.0.4 Addressed Issues
Issue Identifier Description
WINAGENT-34 Fixed an issue where the Windows User‐ID agent allowed weak ciphers for SSL/TLS
connections. With this fix, the Windows User‐ID agent allows only the following
ciphers for SSL/TLS connections:
• ECDHE‐ECDSA‐AES256‐GCM‐SHA384
• ECDHE‐RSA‐AES256‐GCM‐SHA384
• ECDHE‐RSA‐AES128‐GCM‐SHA256
• ECDHE‐ECDSA‐AES256‐SHA384
• ECDHE‐ECDSA‐AES128‐SHA256
• DHE‐RSA‐AES256‐SHA256
• DHE‐RSA‐AES128‐SHA256
• ECDHE‐RSA‐AES256‐SHA
• ECDHE‐ECDSA‐AES256‐SHA
• ECDHE‐RSA‐AES128‐SHA
• ECDHE‐ECDSA‐AES128‐SHA
• DHE‐RSA‐AES256‐SHA
• DHE‐RSA‐AES128‐SHA
• AES256‐SHA256
• AES256‐SHA
• AES128‐SHA256
• AES128‐SHA
User‐ID Agent 8.0.3 Addressed Issues
Issue Identifier Description
WINAGENT-141 Fixed an issue where the MDM integration service of the Windows‐based User‐ID
agent rejected connections from the MDM event notification service when you did
not configure the IP address of the MDM event notification service as a Permitted
IP address (MDM Integration > Setup > Permitted IP).
PAN-68824 Fixed an issue where the Windows‐based User‐ID agent performed IP
address‐to‐username mapping for user accounts that were in the Ignore User list
(ignore_user_list.txt).
© Palo Alto Networks, Inc. User‐ID Agent 8.0 Release Notes • 9
User‐ID Agent 8.0 Addressed Issues
User‐ID Agent 8.0.2 Addressed Issues
Issue Identifier Description
WINAGENT-122 Fixed an issue where the Windows‐based User‐ID agent frequently reset its
connection with a syslog sender, causing the sender to generate numerous
connection failure logs and associated alerts.
WINAGENT-65 Fixed an issue where, when the PAN‐OS XML API sent user mappings with no
timeout value to a Windows‐based User‐ID agent, the agent set the mappings
timeout to never instead of applying the User Identification Timeout setting.
User‐ID Agent 8.0.1 Addressed Issues
Issue Identifier Description
WINAGENT-133 Fixed an issue where the Windows‐based User‐ID agent had a memory leak while
running the MDM Integration Service.
WINAGENT-109 Fixed an issue where the Windows‐based User‐ID agent attempted to access the
certificate store on the agent even when hashes match, which caused authentication
to fail even for matching hashes if the certificate store on the agent was inaccessible.
WINAGENT-90 Fixed an issue where a Windows‐based User‐ID Agent running the MDM Integration
Service failed during startup due to a Windows module fault and required a restart.
User‐ID Agent 8.0.0 Addressed Issues
Issue Identifier Description
PAN-60400 Fixed an issue where the username displayed as a concatenated string (username+IP
address) when learned from the User‐ID agent instead of through the firewall. With
this fix, the username displays correctly (without IP address).
Related Documentation
Refer to the following documents on the Technical Documentation portal at
https://www.paloaltonetworks.com/documentation for more information about the Palo Alto
Next‐Generation Security Platform:
PAN‐OS Administrator's Guide—Provides the concepts and solutions to get the most out of your Palo
Alto Networks next‐generation firewalls. This includes taking you through the initial configuration and
basic set up on your Palo Alto Networks firewalls.
Palo Alto Networks Web Interface Reference Guide—Describes how to administer the Palo Alto
Networks firewall using the device's web interface. The guide is intended for system administrators
responsible for deploying, operating, and maintaining the firewall.
Palo Alto Networks Compatibility Matrix—Provides operating system and other compatibility
information for Palo Alto Networks next‐generation firewalls, appliances, and agents, including where
you can install the User‐ID agent and which servers it can monitor.
Requesting Support
For contacting support, for information on support programs, to manage your account or devices, or to
open a support case, refer to https://www.paloaltonetworks.com/support/tabs/overview.html.
For the most current PAN‐OS and Panorama 8.0 release notes, go to
https://www.paloaltonetworks.com/documentation/80/pan‐os/pan‐os‐release‐notes.html.
To provide feedback on the documentation, please write to us at: documentation@paloaltonetworks.com.
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact‐support
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2017–2018 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of
our trademarks can be found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks
mentioned herein may be trademarks of their respective companies.
Revision Date: May 2, 2018