New Features

Release 9.1R17

This feature allows the administrators to pass host checker policies on endpoints after the machine certificate expires. The Administrator can assign endpoints to have remediation roles so that users can renew certificate.

This feature allows the admin to enter a custom message to display on the client highlight the host checker compliance errors.

This feature supports scheduling multiple reports of the same type. Allows scheduling report notification on a customized time of a day/month/week.

The dashboard displays the chart for the compliant and non-compliant devices. The compliance report is enhanced to display the compliant devices.

Release 9.1R16

Profiler now supports and discovers IPv6 devices. DDR report and other reports show IPV6 information.

Release 9.1R15

Profiler now supports and discovers IPv6 devices. DDR report and other reports show IPV6 information.

Release 9.1R14

This feature allows to configure DHCP servers in Address Pool tab and assign IP addresses dynamically to the endpoints from the configured DHCP server.

Note: One server can be configured with only one IP address.

This feature allows to assign IP addresses dynamically for the users or nodes from IP address pools over radius protocol in Active/Active cluster mode.

This feature allows Kerberos to use AES128 as the highest encryption type.

Release 9.1R13

Ivanti Policy Secure allows the admins to assign IP addresses dynamically for the users or nodes from IP address pools.

This feature is applicable only to RADIUS.

This feature enables super admin to configure different access levels to RADIUS, SNMP clients and policy configurations listed in the Network Access menu.

Release 9.1R12

Ivanti Policy Secure supports storing the RADIUS accounting information to an external SQL database. Ivanti Policy Secure offers SQL Accounting feature under Auth Servers. MSSQL accounting supported only for 802.1x use cases and only one SQL server can be configured.

Profiler can now detect a device, which was already scanned and profiled but cannot be scanned anymore. Admin can configure e-mail notification to be sent based on configured interval for devices, which are assigned a group based on the number of failed scan attempts.

Cascading multiple external authentication servers provides a continuous, reliable process for authenticating and authorizing external users. If authentication fails on the first authentication server, then Ivanti Policy Secure attempts to authenticate the user by using the subsequent external authentication server configured in the realm under the sign-in policy page.

The Firewall/SIEM detects compromised remote devices, Firewall/SIEM can send threat alert to Ivanti Policy Secure and Ivanti Policy Secure can instruct Ivanti Connect Secure to take action based on threat severity.

Release 9.1R11

Ivanti Policy Secure supports report generation and sending it as a PDF attachment in a scheduled email based on filters and time settings.

Release 9.1R10

No new features introduced in this release. See, Noteworthy Changes.

Release 9.1R9

Ivanti Policy Secure allows Administrator to provision Auth Table Mapping policy, Resource Access policy and IoT Access policy configured using profile groups for the devices.

Ivanti Policy Secure supports Service Type configuration in TACACS+ shell policy in SBR to Ivanti Policy Secure migration.

Ivanti Policy Secure supports decryption of shared secret and native user password (encrypted passwords only) in SBR to Ivanti Policy Secure migration.

Release 9.1R8

Ivanti Policy Secure integration with McAfee ePO supports assessing device security posture through querying of device attribute details and then assigning of roles based on the attribute values.

Ivanti Policy Secure integration with Nozomi Networks supports assessing device security posture through querying of device attribute details and then assigning of roles based on the attribute values.

SBR TACACS+ configurations can be migrated to Ivanti Policy Secure using configuration file import.

Ivanti Policy Secure now supports pool of NTP servers up to 4 NTP servers to sync date and time.

Ivanti Policy Secure supports configuration of specific/custom attributes and assignment to a user or group of users. Administrator can use RADIUS Return Attribute Policy and User Return Attribute together to enforce on the client for 802.1x and MAC authentication mechanism.

Ivanti Policy Secure now supports MSSP licensing model.

In case you have a fresh installation of Ivanti Policy Secure, you may download latest UEBA package from Pulse Secure Support Site (https://my.pulsesecure.net) and add the package at Behavior Analysis page before using Adaptive Authentication.

Profiler

Profiler integration with Nozomi Networks supports classifying and categorizing OT devices using device attributes.

Enable passive listening of traffic through RSPAN using TCP and SMB protocols in profiler. This feature helps to detect devices and their attributes for endpoints which are configured with/without static IP addresses

This feature allows the administrator to approve devices for a specific time period.

The Ivanti Policy Secure User Interface has new tab for Profiler configuration and maintenance.

This feature allows to download custom reports based on the filters applied.

Release 9.1R6

The Ivanti Policy Secure Licensing tab (System > Configuration > Licensing) now displays the Serial Number.

The Hardware ID is now included in System Maintenance > Platform tab.

Host Checker policies is now clickable (hyperlink) in User Realms page.

Release 9.1R5

Provides NAC services (802.1x, MAC Auth, L3 Firewall Enforcement) to multiple on-premise networks using Ivanti Policy Secure deployed on Amazon Web Services (AWS) cloud.

SNMP policy enforcement is now supported on Alcatel-Lucent, Huawei and Arista switches.

Ivanti Policy Secure (Ivanti Policy Secure) integration with the McAfee ePolicy Orchestrator (ePO) provides complete visibility of network endpoints and provide end to end network security. The Ivanti Policy Secure integration with McAfee ePO allows Admin to perform user access control based on alerts received from the McAfee ePO.

Splunk application for Ivanti Policy Secure uses the indexed data to render various charts and to show useful information on dashboard. The Pulse Secure App for Splunk allows you to view Ivanti Policy Secure data in a dedicated, customizable Splunk dashboard. This bidirectional interaction with Splunk allows security managers to quickly monitor the current operational/security posture.

Ivanti Policy Secure now supports sending syslog messages to a syslog server using IPv6 address.

Time synchronization using NTP server is now supported with IPv6 address. Ivanti Policy Secure also supports transferring archived Ivanti Policy Secure logs using FTP and SCP over IPv6 network.

SBR configurations (802.1x and Mac Address Authentication) can be migrated to Ivanti Policy Secure using XML import.

Ivanti Policy Secure now supports Elliptic Curve Cryptography (ECC) certificate for SRX firewall connections.

Host Checker policy to allow detection of hard drive encryption in progress.

Ivanti Policy Secure supports MSSQL as external Auth server for 802.1x and Layer 3 authentication.

This feature in Ivanti Policy Secure allows the user to download the reports (User Summary Report, Single User Activities, Device Summary, Device Discovery, Single Device Activities, Authentication, Compliance, Infected Devices) in PDF format. Apart from the CSV, Tab Limited option, there is an option called PDF provided in Ivanti Policy Secure Reports.

Profiler

Profiler deployments provides backup mechanism for enhanced disaster management (Profiler Forwarder, Remote Profiler, Centralized Standalone Profiler).

Viptela Switch support is added for SNMP Visibility.

Release 9.1R4

Provides NAC services (802.1x, MAC Auth, L3 Firewall Enforcement) to multiple on-premise networks using Ivanti Policy Secure deployed on Microsoft Azure cloud.

Supports guest access use cases with Huawei WLC.

Supports 802.1x and guest access with Juniper Mist WLC.

Support Administrator access control for Arista.

Supports TACACS+ authorization using Ivanti Policy Secure. Authentication is performed by the third-party authentication server.

Provides an option to admin in Auth table mapping policy to push only IP-User mapping to Palo Alto Networks firewall.

Allows to define user Attributes for system local server and associate those attributes to user names, including Framed-IP address. Values of those attributes to be defined for each user name.

Supports protecting passwords stored in local authentication server using strong hash.

Release 9.1R3

Ivanti Policy Secure supports provisioning user identity and resource access/IoT policies to multiple VSYS or specific VSYS (other than vsys1) on PAN firewall.

Ivanti Policy Secure along with IBM QRadar provides user access control based on threats/events received from IBM QRadar.

Splunk alert based integration supports sending alert information from Splunk to Ivanti Policy Secure. Ivanti Policy Secure uses its existing functionality of admission control, L2/L3 enforcement and provides role based access control to secure the network.

Ivanti Policy Secure supports integration with FortiGate firewall using RADIUS accounting messages.

Ivanti Policy Secure supports MYSQL as external Authentication server.

Allows importing user accounts via CSV file in System local auth server. The local authentication server is an authentication database that is built in to Ivanti Policy Secure.

SNMP ACL enforcement support is now expanded for 3Com and Dell switches.

SNMP VLAN enforcement support is now expanded for 3Com, Juniper and Dell switches.

Ivanti Policy Secure allows auth table provisioning for the endpoints behind NAT (One-to One NAT mapping).

The Platform Limit, Maximum Licensed User Count and Cluster Name attribute values are available for optimal load balancing.

Release 9.1R2

Ivanti Policy Secure along with Nozomi Networks provides threat detection and threat response in ICS/OT environ-ment.

Two new methods of archiving the configurations and archived logs are available apart from SCP and FTP methods:

Ivanti Policy Secure/Ivanti Connect Secure supports pushing configurations and archived logs to the S3 bucket in the Amazon AWS deployment and to the Azure storage in the Microsoft Azure deployment.

Ivanti Policy Secure supports EasiSMS gateway through the SMTP server. EasiSMS uses an email format to send SMS to end user mobile phones.

Pulse client expects the machine ID is unique on each machine. If multiple endpoints have the same machine ID, for security reasons, the existing sessions with the same machine id are closed.

A new access log message is added to flag the detection of a duplicate Machine ID in the following format:

Message: Duplicate machine ID "<Machine_ID>" detected. Ending user session from IP address <IP_address>. Refer document KB25581 for details.

Migrating RADIUS/TACACS+ client configuration configured on the Cisco ACS device.

The licensing client reports maximum used sessions count instead of the maximum leased licenses count. For MSP customers, this change helps in billing the tenants based on maximum sessions used.

Ivanti Policy Secure supports the migration of servers and clients to Opswat v4 to take advantage of latest updates.

Ivanti Connect Secure/Ivanti Policy Secure supports upgrading from Ivanti Connect Secure 8.2Rx/ Ivanti Policy Secure 5.3Rx to 9.1R2 for the following supported plat-forms:

VMWare ESXi

KVM

Hyper-V

When upgrading a VA-SPE running Ivanti Connect Secure 8.2R5.1/Ivanti Policy Secure 5.3Rx or below that was deployed with an OVF template to a higher version, the upgrade was failing. This feature solves the upgrade problem for VMWare, KVM and Hyper-V. Refer KB41049 for more details.

Profiler

Profiler dashboard supports chart for Profile Groups. This chart is also part of downloaded PDF report.

Agentless Host Checker with Profiler supports Windows defender and Microsoft Security Essentials.

Release 9.1R1

Prior to 9.1R1 release, DNS traffic was sent over the Internal interface. Starting with 9.1R1 release, an administrator can modify the DNS setting to any physical interface namely Internal Port, External Port or Management Port.

TOTP server can be added as a secondary auth server in Ivanti Policy Secure.

Machine certificate check on Mac OS is now supported for Ivanti Policy Secure.

802.1X and Guest Access support is qualified with Cisco Meraki WLC.

802.1X authentication is now supported on external port.

Ivanti Policy Secure can be configured as SAML service provider (SP) for all industry standard SAML IdP's.

Ivanti Policy Secure supports bridging the Layer 2 Native Supplicant 802.1X session with Layer3 Agentless (Browser based) Session on Linux platform.

Session migration in an IF-MAP federated network supports Cert Auth and SAML auth

SNMP enforcement using ACL is supported for Cisco, Juniper and HP switches.

TACACS+ authorization support for Administrators using custom attributes for Juniper and F5 devices.

Profiler

The Administrators can sync the profiled data from one Profiler to another from the profiler auth server configuration page. Multiple branch offices can sync their profiled data to central office. Ad-min can view the Device Discovery Report to view and control the multiple offices.

Profiler device age-out interval configuration allows admin to automatically delete the devices from the database. Admin can define the age-out interval for a group of devices also using Profile Groups

SNMP-HOST Collector is a collection method that receives endpoint information where the end-points are monitored through SNMP. Admin can configure subnets to scan and community strings in profiler auth server configuration page.

Administrator can select "needs approval" for selected Profiler group.

Administrator can search in DDR with key value-based query. Query syntax is similar to that of pro-file groups.

Admin can add IP address from Profiler to active session for L3 enforcement when RADIUS account-ing is not enabled. This is supported only for MAC auth and dot1X.