New Features

Release 9.1R13

PPS allows the admins to assign IP addresses dynamically for the users or nodes from IP address pools.

This feature is applicable only to RADIUS.

This feature enables super admin to configure different access levels to RADIUS, SNMP clients and policy configurations listed in the Network Access menu.

Release 9.1R12

PPS supports storing the RADIUS accounting information to an external SQL database. PPS offers SQL Accounting feature under Auth Servers. MSSQL accounting supported only for 802.1x use cases and only one SQL server can be configured.

Profiler can now detect a device, which was already scanned and profiled but cannot be scanned anymore. Admin can configure e-mail notification to be sent based on configured interval for devices, which are assigned a group based on the number of failed scan attempts.

Cascading multiple external authentication servers provides a continuous, reliable process for authenticating and authorizing external users. If authentication fails on the first authentication server, then PPS attempts to authenticate the user by using the subsequent external authentication server configured in the realm under the sign-in policy page.

The Firewall/SIEM detects compromised remote devices, Firewall/SIEM can send threat alert to PPS and PPS can instruct PCS to take action based on threat severity.

Release 9.1R11

PPS supports report generation and sending it as a PDF attachment in a scheduled email based on filters and time settings.

Release 9.1R10

No new features introduced in this release. See, Noteworthy Changes.

Release 9.1R9

PPS allows Administrator to provision Auth Table Mapping policy, Resource Access policy and IoT Access policy configured using profile groups for the devices.

PPS supports Service Type configuration in TACACS+ shell policy in SBR to PPS migration.

PPS supports decryption of shared secret and native user password (encrypted passwords only) in SBR to PPS migration.

Release 9.1R8

PPS integration with McAfee ePO supports assessing device security posture through querying of device attribute details and then assigning of roles based on the attribute values.

PPS integration with Nozomi Networks supports assessing device security posture through querying of device attribute details and then assigning of roles based on the attribute values.

SBR TACACS+ configurations can be migrated to PPS using configuration file import.

PPS now supports pool of NTP servers up to 4 NTP servers to sync date and time.

PPS supports configuration of specific/custom attributes and assignment to a user or group of users. Administrator can use RADIUS Return Attribute Policy and User Return Attribute together to enforce on the client for 802.1x and MAC authentication mechanism.

PPS now supports MSSP licensing model.

In case you have a fresh installation of PPS, you may download latest UEBA package from Pulse Secure Support Site (https://my.pulsesecure.net) and add the package at Behavior Analysis page before using Adaptive Authentication.

Profiler

Profiler integration with Nozomi Networks supports classifying and categorizing OT devices using device attributes.

Enable passive listening of traffic through RSPAN using TCP and SMB protocols in profiler. This feature helps to detect devices and their attributes for endpoints which are configured with/without static IP addresses

This feature allows the administrator to approve devices for a specific time period.

The PPS User Interface has new tab for Profiler configuration and maintenance.

This feature allows to download custom reports based on the filters applied.

Release 9.1R6

The PPS Licensing tab (System > Configuration > Licensing) now displays the Serial Number.

The Hardware ID is now included in System Maintenance > Platform tab.

Host Checker policies is now clickable (hyperlink) in User Realms page.

Release 9.1R5

Provides NAC services (802.1x, MAC Auth, L3 Firewall Enforcement) to multiple on-premise networks using PPS deployed on Amazon Web Services (AWS) cloud.

SNMP policy enforcement is now supported on Alcatel-Lucent, Huawei and Arista switches.

Pulse Policy Secure (PPS) integration with the McAfee ePolicy Orchestrator (ePO) provides complete visibility of network endpoints and provide end to end network security. The PPS integration with McAfee ePO allows Admin to perform user access control based on alerts received from the McAfee ePO.

Splunk application for PPS uses the indexed data to render various charts and to show useful information on dashboard. The Pulse Secure App for Splunk allows you to view PPS data in a dedicated, customizable Splunk dashboard. This bidirectional interaction with Splunk allows security managers to quickly monitor the current operational/security posture.

PPS now supports sending syslog messages to a syslog server using IPv6 address.

Time synchronization using NTP server is now supported with IPv6 address. PPS also supports transferring archived PPS logs using FTP and SCP over IPv6 network.

SBR configurations (802.1x and Mac Address Authentication) can be migrated to PPS using XML import.

PPS now supports Elliptic Curve Cryptography (ECC) certificate for SRX firewall connections.

Host Checker policy to allow detection of hard drive encryption in progress.

PPS supports MSSQL as external Auth server for 802.1x and Layer 3 authentication.

This feature in PPS allows the user to download the reports (User Summary Report, Single User Activities, Device Summary, Device Discovery, Single Device Activities, Authentication, Compliance, Infected Devices) in PDF format. Apart from the CSV, Tab Limited option, there is an option called PDF provided in PPS Reports.

Profiler

Profiler deployments provides backup mechanism for enhanced disaster management (Profiler Forwarder, Remote Profiler, Centralized Standalone Profiler).

Viptela Switch support is added for SNMP Visibility.

Release 9.1R4

Provides NAC services (802.1x, MAC Auth, L3 Firewall Enforcement) to multiple on-premise networks using PPS deployed on Microsoft Azure cloud.

Supports guest access use cases with Huawei WLC.

Supports 802.1x and guest access with Juniper Mist WLC.

Support Administrator access control for Arista.

Supports TACACS+ authorization using Pulse Policy Secure. Authentication is performed by the third-party authentication server.

Provides an option to admin in Auth table mapping policy to push only IP-User mapping to Palo Alto Networks firewall.

Allows to define user Attributes for system local server and associate those attributes to user names, including Framed-IP address. Values of those attributes to be defined for each user name.

Supports protecting passwords stored in local authentication server using strong hash.

Release 9.1R3

Pulse Policy Secure supports provisioning user identity and resource access/IoT policies to multiple VSYS or specific VSYS (other than vsys1) on PAN firewall.

Pulse Policy Secure along with IBM QRadar provides user access control based on threats/events received from IBM QRadar.

Splunk alert based integration supports sending alert information from Splunk to Pulse Policy Secure. PPS uses its existing functionality of admission control, L2/L3 enforcement and provides role based access control to secure the network.

Pulse Policy Secure supports integration with FortiGate firewall using RADIUS accounting messages.

Pulse Policy Secure supports MYSQL as external Authentication server.

Allows importing user accounts via CSV file in System local auth server. The local authentication server is an authentication database that is built in to PPS.

SNMP ACL enforcement support is now expanded for 3Com and Dell switches.

SNMP VLAN enforcement support is now expanded for 3Com, Juniper and Dell switches.

PPS allows auth table provisioning for the endpoints behind NAT (One-to One NAT mapping).

The Platform Limit, Maximum Licensed User Count and Cluster Name attribute values are available for optimal load balancing.

Release 9.1R2

PPS along with Nozomi Networks provides threat detection and threat response in ICS/OT environ-ment.

Two new methods of archiving the configurations and archived logs are available apart from SCP and FTP methods:

PPS/PCS supports pushing configurations and archived logs to the S3 bucket in the Amazon AWS deployment and to the Azure storage in the Microsoft Azure deployment.

PPS supports EasiSMS gateway through the SMTP server. EasiSMS uses an email format to send SMS to end user mobile phones.

Pulse client expects the machine ID is unique on each machine. If multiple endpoints have the same machine ID, for security reasons, the existing sessions with the same machine id are closed.

A new access log message is added to flag the detection of a duplicate Machine ID in the following format:

Message: Duplicate machine ID "<Machine_ID>" detected. Ending user session from IP address <IP_address>. Refer document KB25581 for details.

Migrating RADIUS/TACACS+ client configuration configured on the Cisco ACS device.

The licensing client reports maximum used sessions count instead of the maximum leased licenses count. For MSP customers, this change helps in billing the tenants based on maximum sessions used.

PPS supports the migration of servers and clients to Opswat v4 to take advantage of latest updates.

PCS/PPS supports upgrading from PCS 8.2Rx/ PPS 5.3Rx to 9.1R2 for the following supported plat-forms:

VMWare ESXi

KVM

Hyper-V

When upgrading a VA-SPE running PCS 8.2R5.1/PPS 5.3Rx or below that was deployed with an OVF template to a higher version, the upgrade was failing. This feature solves the upgrade problem for VMWare, KVM and Hyper-V. Refer KB41049 for more details.

Profiler

Profiler dashboard supports chart for Profile Groups. This chart is also part of downloaded PDF report.

Agentless Host Checker with Profiler supports Windows defender and Microsoft Security Essentials.

Release 9.1R1

Prior to 9.1R1 release, DNS traffic was sent over the Internal interface. Starting with 9.1R1 release, an administrator can modify the DNS setting to any physical interface namely Internal Port, External Port or Management Port.

TOTP server can be added as a secondary auth server in PPS.

Machine certificate check on Mac OS is now supported for PPS.

802.1X and Guest Access support is qualified with Cisco Meraki WLC.

802.1X authentication is now supported on external port.

PPS can be configured as SAML service provider (SP) for all industry standard SAML IdP's.

PPS supports bridging the Layer 2 Native Supplicant 802.1X session with Layer3 Agentless (Browser based) Session on Linux platform.

Session migration in an IF-MAP federated network supports Cert Auth and SAML auth

SNMP enforcement using ACL is supported for Cisco, Juniper and HP switches.

TACACS+ authorization support for Administrators using custom attributes for Juniper and F5 devices.

Profiler

The Administrators can sync the profiled data from one Profiler to another from the profiler auth server configuration page. Multiple branch offices can sync their profiled data to central office. Ad-min can view the Device Discovery Report to view and control the multiple offices.

Profiler device age-out interval configuration allows admin to automatically delete the devices from the database. Admin can define the age-out interval for a group of devices also using Profile Groups

SNMP-HOST Collector is a collection method that receives endpoint information where the end-points are monitored through SNMP. Admin can configure subnets to scan and community strings in profiler auth server configuration page.

Administrator can select "needs approval" for selected Profiler group.

Administrator can search in DDR with key value-based query. Query syntax is similar to that of pro-file groups.

Admin can add IP address from Profiler to active session for L3 enforcement when RADIUS account-ing is not enabled. This is supported only for MAC auth and dot1X.