New Features

The following table describes the major features that are introduced in the corresponding release.

Features

Description

Release 9.1R17

Allow Host checker policy on certificate expiry

This feature allows the administrators to pass host checker policies on endpoints after the machine certificate expires. The Administrator can assign endpoints to have remediation roles so that users can renew certificate.

Log Enhancements

This feature allows the admin to enter a custom message to display on the client highlight the host checker compliance errors.

Report scheduling enhancements

This feature supports scheduling multiple reports of the same type. Allows scheduling report notification on a customized time of a day/month/week.

Compliance report enhancements

The dashboard displays the chart for the compliant and non-compliant devices. The compliance report is enhanced to display the compliant devices.

Release 9.1R16

Profiler IPv6 Support

Profiler now supports and discovers IPv6 devices. DDR report and other reports show IPV6 information.

Release 9.1R15

Profiler IPv6 Support

Profiler now supports and discovers IPv6 devices. DDR report and other reports show IPV6 information.

Release 9.1R14

DHCP Server Address Assignment in IPS

This feature allows to configure DHCP servers in Address Pool tab and assign IP addresses dynamically to the endpoints from the configured DHCP server.

Note: One server can be configured with only one IP address.

Active/Active Cluster Support for IP pool feature for Framed IP Address

This feature allows to assign IP addresses dynamically for the users or nodes from IP address pools over radius protocol in Active/Active cluster mode.

Kerberos e-type extension

This feature allows Kerberos to use AES128 as the highest encryption type.

Release 9.1R13

Framed-IP Address Pool

Ivanti Policy Secure allows the admins to assign IP addresses dynamically for the users or nodes from IP address pools.

This feature is applicable only to RADIUS.

Delegated Admin Control

This feature enables super admin to configure different access levels to RADIUS, SNMP clients and policy configurations listed in the Network Access menu.

Release 9.1R12

MS SQL Server support for Accounting

Ivanti Policy Secure supports storing the RADIUS accounting information to an external SQL database. Ivanti Policy Secure offers SQL Accounting feature under Auth Servers. MSSQL accounting supported only for 802.1x use cases and only one SQL server can be configured.

Enhancement to prevent MAC Spoofing

Profiler can now detect a device, which was already scanned and profiled but cannot be scanned anymore. Admin can configure e-mail notification to be sent based on configured interval for devices, which are assigned a group based on the number of failed scan attempts.

Cascading Authentication Server support

Cascading multiple external authentication servers provides a continuous, reliable process for authenticating and authorizing external users. If authentication fails on the first authentication server, then Ivanti Policy Secure attempts to authenticate the user by using the subsequent external authentication server configured in the realm under the sign-in policy page.

Ivanti Connect Secure Admission Control using Ivanti Policy Secure

The Firewall/SIEM detects compromised remote devices, Firewall/SIEM can send threat alert to Ivanti Policy Secure and Ivanti Policy Secure can instruct Ivanti Connect Secure to take action based on threat severity.

Release 9.1R11

Ivanti Policy Secure and Profiler reporting enhancements

Ivanti Policy Secure supports report generation and sending it as a PDF attachment in a scheduled email based on filters and time settings.

Release 9.1R10

No new features introduced in this release. See, Noteworthy Changes.

Release 9.1R9

Firewall Provisioning based on Profile Group

Ivanti Policy Secure allows Administrator to provision Auth Table Mapping policy, Resource Access policy and IoT Access policy configured using profile groups for the devices.

SBR migration service attribute field

Ivanti Policy Secure supports Service Type configuration in TACACS+ shell policy in SBR to Ivanti Policy Secure migration.

SBR Shared Secret Password Decryption

Ivanti Policy Secure supports decryption of shared secret and native user password (encrypted passwords only) in SBR to Ivanti Policy Secure migration.

Release 9.1R8

McAfee ePO integration for endpoint protection

Ivanti Policy Secure integration with McAfee ePO supports assessing device security posture through querying of device attribute details and then assigning of roles based on the attribute values.

Nozomi networks Ivanti Policy Secure integration and policy provisioning

Ivanti Policy Secure integration with Nozomi Networks supports assessing device security posture through querying of device attribute details and then assigning of roles based on the attribute values.

SBR to Ivanti Policy Secure migration for TACACS+ usecase

SBR TACACS+ configurations can be migrated to Ivanti Policy Secure using configuration file import.

Support for pool of NTP servers and NTP status check

Ivanti Policy Secure now supports pool of NTP servers up to 4 NTP servers to sync date and time.

Assign RADIUS Return Attributes for Local and MAC Auth Users

Ivanti Policy Secure supports configuration of specific/custom attributes and assignment to a user or group of users. Administrator can use RADIUS Return Attribute Policy and User Return Attribute together to enforce on the client for 802.1x and MAC authentication mechanism.

MSSP Licensing

Ivanti Policy Secure now supports MSSP licensing model.

UEBA package for fresh installation of Ivanti Policy Secure

In case you have a fresh installation of Ivanti Policy Secure, you may download latest UEBA package from Pulse Secure Support Site (https://my.pulsesecure.net) and add the package at Behavior Analysis page before using Adaptive Authentication.

Profiler

Profiler integration with Nozomi Networks

Profiler integration with Nozomi Networks supports classifying and categorizing OT devices using device attributes.

Agentless classification through RSPAN traffic

Enable passive listening of traffic through RSPAN using TCP and SMB protocols in profiler. This feature helps to detect devices and their attributes for endpoints which are configured with/without static IP addresses

Device time-bound approval

This feature allows the administrator to approve devices for a specific time period.

Profiler UI changes

The Ivanti Policy Secure User Interface has new tab for Profiler configuration and maintenance.

Profiler customized reports

This feature allows to download custom reports based on the filters applied.

Release 9.1R6

Show Serial Number under Licensing Tab

The Ivanti Policy Secure Licensing tab (System > Configuration > Licensing) now displays the Serial Number.

Hardware ID is available on System Maintenance Tab

The Hardware ID is now included in System Maintenance > Platform tab.

Host Checker policies hyperlinked to policies page

 

Host Checker policies is now clickable (hyperlink) in User Realms page.

Release 9.1R5

Ivanti Policy Secure on Amazon Web Services (AWS)

Provides NAC services (802.1x, MAC Auth, L3 Firewall Enforcement) to multiple on-premise networks using Ivanti Policy Secure deployed on Amazon Web Services (AWS) cloud.

SNMP policy enforcement (Alcatel-Lucent, Huawei, Arista)

SNMP policy enforcement is now supported on Alcatel-Lucent, Huawei and Arista switches.

McAfee ePolicy Orchestrator (ePO) integration

Ivanti Policy Secure (Ivanti Policy Secure) integration with the McAfee ePolicy Orchestrator (ePO) provides complete visibility of network endpoints and provide end to end network security. The Ivanti Policy Secure integration with McAfee ePO allows Admin to perform user access control based on alerts received from the McAfee ePO.

Splunk syslog add-on and Dashboard app

Splunk application for Ivanti Policy Secure uses the indexed data to render various charts and to show useful information on dashboard. The Pulse Secure App for Splunk allows you to view Ivanti Policy Secure data in a dedicated, customizable Splunk dashboard. This bidirectional interaction with Splunk allows security managers to quickly monitor the current operational/security posture.

IPv6 Support for Syslog, NTP and Log Archive

Ivanti Policy Secure now supports sending syslog messages to a syslog server using IPv6 address.

Time synchronization using NTP server is now supported with IPv6 address. Ivanti Policy Secure also supports transferring archived Ivanti Policy Secure logs using FTP and SCP over IPv6 network.

SBR to Ivanti Policy Secure migration

SBR configurations (802.1x and Mac Address Authentication) can be migrated to Ivanti Policy Secure using XML import.

ECC certificate support for Juniper SRX firewall connection

Ivanti Policy Secure now supports Elliptic Curve Cryptography (ECC) certificate for SRX firewall connections.

Host Checker policy to detect hard disk Encryption in progress

Host Checker policy to allow detection of hard drive encryption in progress.

MSSQL support on Ivanti Policy Secure with external DB

Ivanti Policy Secure supports MSSQL as external Auth server for 802.1x and Layer 3 authentication.

PDF report capability

This feature in Ivanti Policy Secure allows the user to download the reports (User Summary Report, Single User Activities, Device Summary, Device Discovery, Single Device Activities, Authentication, Compliance, Infected Devices) in PDF format. Apart from the CSV, Tab Limited option, there is an option called PDF provided in Ivanti Policy Secure Reports.

Profiler

Backup and Recovery, and Disaster management

Profiler deployments provides backup mechanism for enhanced disaster management (Profiler Forwarder, Remote Profiler, Centralized Standalone Profiler).

Viptela Switch Support

Viptela Switch support is added for SNMP Visibility.

Release 9.1R4

Ivanti Policy Secure on

Azure platform

Provides NAC services (802.1x, MAC Auth, L3 Firewall Enforcement) to multiple on-premise networks using Ivanti Policy Secure deployed on Microsoft Azure cloud.

Huawei - Guest Access

Supports guest access use cases with Huawei WLC.

Mist Juniper WLC

Supports 802.1x and guest access with Juniper Mist WLC.

TACACS+ support for Arista Switch

Support Administrator access control for Arista.

Common Access Card (CAC) support with TACACS+

Supports TACACS+ authorization using Ivanti Policy Secure. Authentication is performed by the third-party authentication server.

Provisioning only User-ID information to PAN firewall

Provides an option to admin in Auth table mapping policy to push only IP-User mapping to Palo Alto Networks firewall.

System Local user attribute support (Framed-IP-Address)

Allows to define user Attributes for system local server and associate those attributes to user names, including Framed-IP address. Values of those attributes to be defined for each user name.

Strong Hash

Supports protecting passwords stored in local authentication server using strong hash.

Release 9.1R3

VSYS Support in PAN

Ivanti Policy Secure supports provisioning user identity and resource access/IoT policies to multiple VSYS or specific VSYS (other than vsys1) on PAN firewall.

IBM QRadar Integration

Ivanti Policy Secure along with IBM QRadar provides user access control based on threats/events received from IBM QRadar.

Splunk Integration

Splunk alert based integration supports sending alert information from Splunk to Ivanti Policy Secure. Ivanti Policy Secure uses its existing functionality of admission control, L2/L3 enforcement and provides role based access control to secure the network.

Fortinet Identity management using RADIUS accounting messages

Ivanti Policy Secure supports integration with FortiGate firewall using RADIUS accounting messages.

Mysql support

Ivanti Policy Secure supports MYSQL as external Authentication server.

Local user account import through CSV in System local DB

Allows importing user accounts via CSV file in System local auth server. The local authentication server is an authentication database that is built in to Ivanti Policy Secure.

SNMP Enforcement using ACL for 3Com, DELL

SNMP ACL enforcement support is now expanded for 3Com and Dell switches.

SNMP Enforcement using VLAN for 3Com, Juniper and DELL

SNMP VLAN enforcement support is now expanded for 3Com, Juniper and Dell switches.

One-to-One NAT support

Ivanti Policy Secure allows auth table provisioning for the endpoints behind NAT (One-to One NAT mapping).

vTM and Ivanti Policy Secure Integration for Load Balancing

The Platform Limit, Maximum Licensed User Count and Cluster Name attribute values are available for optimal load balancing.

Release 9.1R2

Alert based integration with Nozomi Networks

Ivanti Policy Secure along with Nozomi Networks provides threat detection and threat response in ICS/OT environ-ment.

Backup configs and archived logs on AWS S3/Azure Storage

Two new methods of archiving the configurations and archived logs are available apart from SCP and FTP methods:

Ivanti Policy Secure/Ivanti Connect Secure supports pushing configurations and archived logs to the S3 bucket in the Amazon AWS deployment and to the Azure storage in the Microsoft Azure deployment.

 

EasiSMS Gateway Support

Ivanti Policy Secure supports EasiSMS gateway through the SMTP server. EasiSMS uses an email format to send SMS to end user mobile phones.

Flag Duplicate Machine ID in access logs

Pulse client expects the machine ID is unique on each machine. If multiple endpoints have the same machine ID, for security reasons, the existing sessions with the same machine id are closed.

A new access log message is added to flag the detection of a duplicate Machine ID in the following format:

Message: Duplicate machine ID "<Machine_ID>" detected. Ending user session from IP address <IP_address>. Refer document KB25581 for details.

Migration of Cisco ACS RADIUS/TACACS+ client configuration to Ivanti Policy Secure

Migrating RADIUS/TACACS+ client configuration configured on the Cisco ACS device.

Report Max Used Licens-es to HLS|VLS

The licensing client reports maximum used sessions count instead of the maximum leased licenses count. For MSP customers, this change helps in billing the tenants based on maximum sessions used.

V3 to V4 Opswat SDK mi-gration

Ivanti Policy Secure supports the migration of servers and clients to Opswat v4 to take advantage of latest updates.

VA Partition

Ivanti Connect Secure/Ivanti Policy Secure supports upgrading from Ivanti Connect Secure 8.2Rx/ Ivanti Policy Secure 5.3Rx to 9.1R2 for the following supported plat-forms:

VMWare ESXi

KVM

Hyper-V

When upgrading a VA-SPE running Ivanti Connect Secure 8.2R5.1/Ivanti Policy Secure 5.3Rx or below that was deployed with an OVF template to a higher version, the upgrade was failing. This feature solves the upgrade problem for VMWare, KVM and Hyper-V. Refer KB41049 for more details.

Profiler

Profiler dashboard update

Profiler dashboard supports chart for Profile Groups. This chart is also part of downloaded PDF report.

Windows defender and Microsoft Security Essen-tials support

Agentless Host Checker with Profiler supports Windows defender and Microsoft Security Essentials.

Release 9.1R1

DNS traffic on any physical interface

Prior to 9.1R1 release, DNS traffic was sent over the Internal interface. Starting with 9.1R1 release, an administrator can modify the DNS setting to any physical interface namely Internal Port, External Port or Management Port.

Google Auth Multi Factor Authentication

TOTP server can be added as a secondary auth server in Ivanti Policy Secure.

Machine certificate check on MacOS

Machine certificate check on Mac OS is now supported for Ivanti Policy Secure.

Meraki 802.1x and Guest Access support

802.1X and Guest Access support is qualified with Cisco Meraki WLC.

RADIUS server capability on External port

802.1X authentication is now supported on external port.

SAML Auth Server support

Ivanti Policy Secure can be configured as SAML service provider (SP) for all industry standard SAML IdP's.

Session bridging for Linux Platform

Ivanti Policy Secure supports bridging the Layer 2 Native Supplicant 802.1X session with Layer3 Agentless (Browser based) Session on Linux platform.

Session Migration using Cert authentication

Session migration in an IF-MAP federated network supports Cert Auth and SAML auth

SNMP Enforcement using ACL (Cisco, HP, Juniper)

SNMP enforcement using ACL is supported for Cisco, Juniper and HP switches.

TACACS+ Enhancements - DB sync, pass back attributes to devices such as F5 and Juniper

TACACS+ authorization support for Administrators using custom attributes for Juniper and F5 devices.

TACACS+ configuration synchronization across WAN cluster

 

Profiler

Distributed Profiler Enhancements

The Administrators can sync the profiled data from one Profiler to another from the profiler auth server configuration page. Multiple branch offices can sync their profiled data to central office. Ad-min can view the Device Discovery Report to view and control the multiple offices.

Profiler Device Age Out

Profiler device age-out interval configuration allows admin to automatically delete the devices from the database. Admin can define the age-out interval for a group of devices also using Profile Groups

Profile Windows devices using SNMP (HOST)

SNMP-HOST Collector is a collection method that receives endpoint information where the end-points are monitored through SNMP. Admin can configure subnets to scan and community strings in profiler auth server configuration page.

Approval for Profile Groups

Administrator can select "needs approval" for selected Profiler group.

Key-value based search in DDR

Administrator can search in DDR with key value-based query. Query syntax is similar to that of pro-file groups.

Publishing IP address from Profiler to Active User Session

Admin can add IP address from Profiler to active session for L3 enforcement when RADIUS account-ing is not enabled. This is supported only for MAC auth and dot1X.

Huawei switches added in supported list for Network Infrastructure Device

Admin can select Huawei switch from supported list in network infrastructure device page.