Fixed Issues

Release 9.1R18.1

Agentless connection from Big Sur machine displays wrong "Agent Type" version under Active user page.

After upgrading to 9.1 R17 version, Profiler DDR shows 5 filters were applied by default.

SBR auth process not recovering on its own after being overloaded

Compliance is failing on McAfee 16 with ESAP 4.1.4

ISAC shows password expiration warning even when the number of days configured in realm for warning is less than password expiration day. This only happens when you use DUO sign in page.

Inconsistencies in Japanese Language while using Host Checker.

Release 9.1R18

Host Checker hangs during patch management check.

Release 9.1R17

uwsgi process fails

PSA7000c unresponsive in Active-Passive cluster with warm restart on 9.1R16.

Bi-Directional forward and sync endpoint data is not working.

Host Checker: Virus Definition Check fails for Norton Security Ultra

IPS is unable to classify Cisco AP.

Host Checker reports Virus Definition are not up to date for AV VirIT eXplorer PRO.

Host Checker: ICS do not recognize few vendors while configuring Antivirus and Spyware.

On upgrading to 9.1R14.1, sporadically users are redirected with error https://auth/welcome.cgi.

Post re-authentication, IPS sends Disconnect-Request within 2-3 minutes due "Max session timeout".

Framed-IP address sent in disconnectmessage is incorrect.

Release 9.1R16

DDR entries are not showing on the reports page.

Post Upgrade to 9.1R15, we can no longer change the precedence/ordering of the Sign-In URLs (Save changes take no effect).

Device search is failing in DDR after upgrading to 9.1R15.

Apex One (Mac) Security Agent 3.5.5709' failing in the policy re-evaluation

“Pulse Collaboration” feature is still accessible in 9.1 R15 version

Save All Logs button missing in 9.1R15 in IPS and ICS.

Custom Sign-in pages display jumbled content post C9.1R15 upgrade.

User IP address allocation logs intermittently not getting populated in User Access logs.

Program TNCS failed.

XML import shows failed when SQL Auth based being used as authorization along with CERT Auth being as authentication.

Unable to Profile Thin client (Wyse)

Agentless HC crashes with 3rd party NHC rule (heap corruption).

Users are getting "authentication rejected by the server" when they click connect on pulse client.

Users were unable to connect, existing users got disconnected due to aggressive “Periodic Check” timers.

MAC spoofing not blocked.

HC Logs in User Access shows Local Username instead of VPN Username while using Embedded Browser.

Release 9.1R15

TACACS+ Authorization is getting rejected with error "Authorization not enabled without authentication". When authentication and authorization requests use different port.

MSSQL Accounting not working with PPS.

Disconnect Message fails. Framed-IP sent in DM message is incorrect.

WMI Scan fails for all the devices.

After upgrading PCS to 9.1R13, users using embedded browser no longer receiving password expiry message when DUO is secondary auth server.

Federate wide sessions are not getting synced between IF-MAP Replicas when persistent queue change log file is corrupted.

Ignore Internet Check Flag needs to be updated in PDC/PCS/PPS 9.1R15.

Internet Check during HC for EDR products is removed to prevent false-positive scenarios - https://forums.ivanti.com/s/article/KB45142?language=en_US.

Continuous Radius process snapshots generated after upgrading PPS to C9.1R14

Release 9.1R14

Email Scheduler not working for DDR post 9.1R12 Upgrade.

Event log shows "Closing connection with profiler 10.0.4.6 due to Server Error: (psycopg2.OperationalError) FATAL: sorry, too many clients already".

Unable to detect the MAC spoofing because Nmap is not able to change the classification immediately after the device is spoofed.

Admission Control action does not take place in case of session bridging scenario (When L2 session with native supplicant is bridging with Pulse L3 session) even after IPS receives alert.

Profiler is not able to classify Device using DHCP collector.

Release 9.1R13.1

Misalignment of tables in Ivanti Policy Secure PDF reports.

Release 9.1R13

First time connection from MAC Big Sur with host checker enabled at realm level shows host checker looping and SecStaticCodeCheckValidity failure.

Virus definition check fails for Cisco Advanced Malware Protection for Endpoints (7.x).

Guest Sponsor not receiving emails on Ivanti Policy Secure for Pulse Guest access.

Release 9.1R12

Fed-Wide session sync delay between Replicas and User session getting removed from Imported sessions within few minutes.

A warning message is added to notify users that the services will be restarted and the connections will be disconnected when the admin sets the network time manually (System -> Status -> Overview -> Date and Time).

TACACS+ Authorization gets rejected despite successful authentication.

"Program RADIUS recently failed" issue has been fixed.

Ivanti Policy Secure default port 11122 (ScreenOS) and 11123 (SRX) , which supports TLS1.0 is now closed by default and is used only upon adding SRX/ScreenOS connections.

User password displayed in clear-text in admin access logs during XML import failure in Ivanti Policy Secure.

TACACS+ Accounting issue is resolved.

Profiler forwarder forwarding profiling data of disconnected devices to standalone profiler results in unwanted consumption of profiler licenses.

SAML Auth for Admin users fails generating an authentication error.

Release 9.1R11

Cisco L3 switch is displayed as Cisco WLC when the Cisco switch does not have CAM entries. Hence a proper log message has been added to cover this scenario.

XML configuration export settings for roles such as guest role and user role are not retained and not matching with the GUI.

DDR entries are deleted after power failure. This is now resolved.

Issue with "Agentless mode with Profiler" HC policy for role and realm mapping.

TNCS process crashes when admin configures Host Checker NetBios rule with more than 1228 characters.

Ivanti Policy Secure supports a maximum of 1,000 regex patterns in a single NetBIOS rule. In case, if there are more than 1,000 regex patterns in a single rule, split the rule into multiple rules.

Apple changed the OS version format in BigSur, which was not identified correctly. The OS Version check logic is updated to identify the new OS version format used in BigSur.

Authentication fails for native users, post migration from SBR to Ivanti Policy Secure.

ESAP package download was failing due to slow network speed on Mac platform. End-Points connected through slow Internet now will not hit the incomplete ESAP package download scenario.

Release 9.1R10

Multi Factor Authentication with Okta RADIUS for Networking devices like Cisco/Juniper Switches using SSH Access with Push notification is supported now.

Predefined Host Checker policy can now be configured with a ignore category based on the vendor.

Endpoints discovered having only IP Addresses (No associated MAC Addresses) by CDP/LLDP collectors from SNMP clients will now get updated in DDR.

NMAP Package upgraded to version 7.91 and NMAP profile update algorithm modified to avoid frequent NMAP profile changes.

The Authentication report now specifies the exact reason for the authentication failure.

Error updating data for chart hc_failure_reason/auth_mechanism" log on Ivanti Policy Secure will no longer be seen. The Exception that was causing this error has been fixed.

Endpoints connected via slow internet will not hit the incomplete ESAP package download scenario.

SNMP Polling freezes when sys-name is not present in CDP table for an endpoint.

Removed search box in TACACS+ Shell policy page due to conflict with policy reordering option.

Release 9.1R9

SNMPv3 clients can now be edited from New Profiler UI page.

SNMP Discovery Issue with SNMP v3.

Pulse Desktop Client disconnects when flipping VIP or rebooting appliance.

DHCP set option is added for AWS (If no DNS server configured in DHCP option set, it will take the second IP address as primary DNS server from the internal port subnet).

Agent Type in active users page on Ivanti Policy Secure is failing to show Windows OS version with 9.1R8 PDC builds.

Release 9.1R8.2

HC policy based on "Windows patch management" is not re-triggering post L2 connection.

HC policy based on LANGUARD Patch Management is not working as expected in 802.1x environment.

SMTP services not working post upgrade to C9.1R4.2.

Host Checker policy evaluation fails if policy rules need to be evaluated based on Custom Rule expression.

Release 9.1R8.1

Time Drift is observed when NTP is configured on Virtual Appliances. This can affect Authentication, Cluster sync and cause licensing issues – KB44558.

Release 9.1R8

Endpoints with NAT IP address were provisioned to SRX/ScreenOS firewall even if there is no matching policy for that user session. This issue is fixed.

Ivanti Policy Secure used to display an error message if the SMTP credentials were not configured. The error message will not be displayed now since the configuration without credentials is allowed.

profclustermoni process crash is observed when Hostchecker policies version is changed for more than 1000 times and WMI is not configured. This issue has been fixed.

TACACS+ Authorization was failing for Cisco WLC with error message "Bad service type". The service configuration is now added under TACACS+ shell policy. The default arguments i.e timeout, idletime, privilege level must be configured under Custom Attributes in the TACACS+ shell policy.

tncs process crash with HC caching enabled is now fixed.

With current OPSWAT library code, the verification of update functionality was not working. OPSWAT has fixed the issue and provided new library code and issue is fixed.

Host Checker file rule failed as Microsoft API 'GetVersion'/'GetFileVersionInfo' was returning a wrong version value in Windows 10. This issue has been fixed.

Session termination action from admission control policy was not getting triggered post AP cluster failover for existing user sessions. This issue is fixed.

For config elements with unicode characters and having length exceeding 4096 bytes, the config import on pulse one client was failing. The issue has been fixed now.

Release 9.1R7

The equal to (=) character is now supported in the Custom Attributes of TACACS+ Shell Policy.

If epupdate_hist.xml is hosted internally with no authentication and if "Use Proxy Server" (With/without auth) is enabled with FQDN or IP Address, the first 3 characters are ignored thus causing it to fail. For example, proxy.domain.net is taken as xy.domain.net. This issue is now fixed for both Ivanti Connect Secure and Ivanti Policy Secure.

With Ivanti Connect Secure 9.0R2-9.1R6 and Pulse 9.0R2-9.1R3, the client continues to send the CAV traffic to Ivanti Connect Secure every 300 seconds even when Cloud Secure license is not installed. From Ivanti Connect Secure 9.1R7 onwards, the PDC client (Pulse 9.0R2-9.1R3) will contact the Ivanti Connect Secure server only once per user session -KB44410.

Release 9.1R6

Ivanti Policy Secure now sends the appropriate status code for authentication failure in Cisco Switch.

CSV export of Profiler Device Discovery Report with large number of entries (>50,000) can now be performed without any failure.

After upgrading Ivanti Policy Secure to 9.1R3-9.1R5, slow Host Checker response is observed due to a very frequent re-evaluation of Cybereason Active Probe product.

The corruption of blob during the epupdate results in Host Checker scan failure for users till next successful epupdate.

Release 9.1R5

Inappropriate error displayed for 'Test Intune Connection is fixed. Appropriate error message is displayed.

Cluster Enhancement: Improve VIP unreachable time during cluster upgrade. This works for cluster with version running release 9.1R5 and later.

ECC device certificate support on Ivanti Policy Secure is now added for SRX connection. Juniper added ECC device certificate support from Junos Release 15.X.

Dashboard was reporting incorrect Session based OS count in graphs. This issue has been fixed.

Host Checker policy to detect Hard Disk encryption in progress is now added in this release.

TLS handshake failed error messages observed after Ivanti Policy Secure upgrade is now fixed.

When replica (IF-MAP) is not reachable, CombinedChangeLog files keep accumulating and consumes space on HDD partition till it reaches 95%. This issue is now fixed.

Profiler

Canon printer was misclassified on Ivanti Policy Secure Profiler. This issue is fixed in the latest fingerprint database.

Ivanti Policy Secure Profiler was not detecting the next-gen Edge OS from IGEL devices. This issue is now fixed.

Finger Print database was not loaded properly into the memory during initial loading of fingerprint file. This issue is now fixed.

Ivanti Policy Secure Profiler full synchronization issue with Pulse One is now fixed.

Ivanti Policy Secure Profiler Finger print database is now updated to detect ASUSTek COMPUTER INC" as Manufacturer.

Full Sync start time used to be a default time, i.e., 01 Jan 1970 rather Current Time.

The "View all 'Unapproved Devices'" link in E-mail received by admin for Device Approval was not getting redirect ed to Device Discovery Report. This issue is now fixed.

Release 9.1R4.2

While forwarder full-sync is in progress and new devices are getting discovered full-sync was aborted and restarted.

Release 9.1R4.1

TLS handshake failed error message observed due to state variable in RADIUS access request is fixed.

Release 9.1R4

Dismiss until next upgrade option is not working for banner related to perpetual licensing.

Devices in Network Infrastructure Device are in Undiscovered state after importing Devices

Profiler is polling deleted switches once after deletion.

Release 9.1R3.1

Port Bounce issue for SNMP VLAN enforcement with Cisco switch is now fixed.

TNCS process fails randomly on the server while evaluating the Host Checker policies.

Duplicate machine ID feature is reverted as part of this PR.

Profiler

Ivanti Policy Secure web interface is running extremely slow.

trap-collector process restarting due to high memory usage.

"trap-collector" consuming high CPU during startup.

Release 9.1R3

Clear config on Ivanti Policy Secure set the default 'Account Lockout' values to zero for 'Guest Authentica-tion' server and this value cannot be modified or saved.

End user always gets the remediation role even after endpoint meets all the End Point Security Policies.

New device anomaly is not detected when connecting to Pulse via embedded browser

Ivanti Policy Secure not sending auth table entry to correct vsys in PAN firewall

Profiler

In dashboard, Profiler name not retained when revisiting the same page after moving to another page.

Release 9.1R2

Factory reset from VMware VA console does not load the factory reset version and loads the current version.

Invalid character error seen while adding Radius Return attribute value which contains "<" and ">" characters.

Host Checker service in Pulse is crashing while performing policy monitoring when pulse client is retrying.

NMAP scan profiling is inaccurate

Session from Exported session list get purged on cluster if the passive node is disabled, re-booted and rejoined.

Post Failover, Delayed session resumption with Pulse Client.

Release 9.1R1

Behavior of "re-authentication" and "termination" options in radius Return Attribute policy page is interchanged.

Assigned VLAN is not updated if fetched on the next poll and always shows default config-ured. VLAN.

Behavioral Analytics dashboard is not displaying charts for potential malware and anoma-lous traffic from IoT devices for more than 4 device categories intermittently.

MAC address is not updated in the user session details.

Behavior of "re-authentication" and "termination" options in radius Return Attribute policy page is interchanged.

PSAL launch failed when proxy browser is configured.

Fortinet admission control feature will not work with domain users (AD).

Host Checker: Virus Definition Check for updates fails for K7 Virus Security ZERO (14.x),