New Features
The following table describes the major features that are introduced in the corresponding release.
Features |
Description |
Release 9.1R13 |
|
Framed-IP Address Pool |
PPS allows the admins to assign IP addresses dynamically for the users or nodes from IP address pools. This feature is applicable only to RADIUS. |
Delegated Admin Control |
This feature enables super admin to configure different access levels to RADIUS, SNMP clients and policy configurations listed in the Network Access menu. |
Release 9.1R12 |
|
MS SQL Server support for Accounting |
PPS supports storing the RADIUS accounting information to an external SQL database. PPS offers SQL Accounting feature under Auth Servers. MSSQL accounting supported only for 802.1x use cases and only one SQL server can be configured. |
Enhancement to prevent MAC Spoofing |
Profiler can now detect a device, which was already scanned and profiled but cannot be scanned anymore. Admin can configure e-mail notification to be sent based on configured interval for devices, which are assigned a group based on the number of failed scan attempts. |
Cascading Authentication Server support |
Cascading multiple external authentication servers provides a continuous, reliable process for authenticating and authorizing external users. If authentication fails on the first authentication server, then PPS attempts to authenticate the user by using the subsequent external authentication server configured in the realm under the sign-in policy page. |
PCS Admission Control using PPS |
The Firewall/SIEM detects compromised remote devices, Firewall/SIEM can send threat alert to PPS and PPS can instruct PCS to take action based on threat severity. |
Release 9.1R11 |
|
PPS and Profiler reporting enhancements |
PPS supports report generation and sending it as a PDF attachment in a scheduled email based on filters and time settings. |
Release 9.1R10 |
|
No new features introduced in this release. See, Noteworthy Changes. |
|
Release 9.1R9 |
|
Firewall Provisioning based on Profile Group |
PPS allows Administrator to provision Auth Table Mapping policy, Resource Access policy and IoT Access policy configured using profile groups for the devices. |
SBR migration service attribute field |
PPS supports Service Type configuration in TACACS+ shell policy in SBR to PPS migration. |
SBR Shared Secret Password Decryption |
PPS supports decryption of shared secret and native user password (encrypted passwords only) in SBR to PPS migration. |
Release 9.1R8 |
|
McAfee ePO integration for endpoint protection |
PPS integration with McAfee ePO supports assessing device security posture through querying of device attribute details and then assigning of roles based on the attribute values. |
Nozomi networks PPS integration and policy provisioning |
PPS integration with Nozomi Networks supports assessing device security posture through querying of device attribute details and then assigning of roles based on the attribute values. |
SBR to PPS migration for TACACS+ usecase |
SBR TACACS+ configurations can be migrated to PPS using configuration file import. |
Support for pool of NTP servers and NTP status check |
PPS now supports pool of NTP servers up to 4 NTP servers to sync date and time. |
Assign RADIUS Return Attributes for Local and MAC Auth Users |
PPS supports configuration of specific/custom attributes and assignment to a user or group of users. Administrator can use RADIUS Return Attribute Policy and User Return Attribute together to enforce on the client for 802.1x and MAC authentication mechanism. |
MSSP Licensing |
PPS now supports MSSP licensing model. |
UEBA package for fresh installation of PPS |
In case you have a fresh installation of PPS, you may download latest UEBA package from Pulse Secure Support Site (https://my.pulsesecure.net) and add the package at Behavior Analysis page before using Adaptive Authentication. |
Profiler |
|
Profiler integration with Nozomi Networks |
Profiler integration with Nozomi Networks supports classifying and categorizing OT devices using device attributes. |
Agentless classification through RSPAN traffic |
Enable passive listening of traffic through RSPAN using TCP and SMB protocols in profiler. This feature helps to detect devices and their attributes for endpoints which are configured with/without static IP addresses |
Device time-bound approval |
This feature allows the administrator to approve devices for a specific time period. |
Profiler UI changes |
The PPS User Interface has new tab for Profiler configuration and maintenance. |
Profiler customized reports |
This feature allows to download custom reports based on the filters applied. |
Release 9.1R6 |
|
Show Serial Number under Licensing Tab |
The PPS Licensing tab (System > Configuration > Licensing) now displays the Serial Number. |
Hardware ID is available on System Maintenance Tab |
The Hardware ID is now included in System Maintenance > Platform tab. |
Host Checker policies hyperlinked to policies page |
Host Checker policies is now clickable (hyperlink) in User Realms page. |
Release 9.1R5 |
|
Pulse Policy Secure on Amazon Web Services (AWS) |
Provides NAC services (802.1x, MAC Auth, L3 Firewall Enforcement) to multiple on-premise networks using PPS deployed on Amazon Web Services (AWS) cloud. |
SNMP policy enforcement (Alcatel-Lucent, Huawei, Arista) |
SNMP policy enforcement is now supported on Alcatel-Lucent, Huawei and Arista switches. |
McAfee ePolicy Orchestrator (ePO) integration |
Pulse Policy Secure (PPS) integration with the McAfee ePolicy Orchestrator (ePO) provides complete visibility of network endpoints and provide end to end network security. The PPS integration with McAfee ePO allows Admin to perform user access control based on alerts received from the McAfee ePO. |
Splunk syslog add-on and Dashboard app |
Splunk application for PPS uses the indexed data to render various charts and to show useful information on dashboard. The Pulse Secure App for Splunk allows you to view PPS data in a dedicated, customizable Splunk dashboard. This bidirectional interaction with Splunk allows security managers to quickly monitor the current operational/security posture. |
IPv6 Support for Syslog, NTP and Log Archive |
PPS now supports sending syslog messages to a syslog server using IPv6 address. Time synchronization using NTP server is now supported with IPv6 address. PPS also supports transferring archived PPS logs using FTP and SCP over IPv6 network. |
SBR to PPS migration |
SBR configurations (802.1x and Mac Address Authentication) can be migrated to PPS using XML import. |
ECC certificate support for Juniper SRX firewall connection |
PPS now supports Elliptic Curve Cryptography (ECC) certificate for SRX firewall connections. |
Host Checker policy to detect hard disk Encryption in progress |
Host Checker policy to allow detection of hard drive encryption in progress. |
MSSQL support on PPS with external DB |
PPS supports MSSQL as external Auth server for 802.1x and Layer 3 authentication. |
PDF report capability |
This feature in PPS allows the user to download the reports (User Summary Report, Single User Activities, Device Summary, Device Discovery, Single Device Activities, Authentication, Compliance, Infected Devices) in PDF format. Apart from the CSV, Tab Limited option, there is an option called PDF provided in PPS Reports. |
Profiler |
|
Backup and Recovery, and Disaster management |
Profiler deployments provides backup mechanism for enhanced disaster management (Profiler Forwarder, Remote Profiler, Centralized Standalone Profiler). |
Viptela Switch Support |
Viptela Switch support is added for SNMP Visibility. |
Release 9.1R4 |
|
Pulse Policy Secure on Azure platform |
Provides NAC services (802.1x, MAC Auth, L3 Firewall Enforcement) to multiple on-premise networks using PPS deployed on Microsoft Azure cloud. |
Huawei - Guest Access |
Supports guest access use cases with Huawei WLC. |
Mist Juniper WLC |
Supports 802.1x and guest access with Juniper Mist WLC. |
TACACS+ support for Arista Switch |
Support Administrator access control for Arista. |
Common Access Card (CAC) support with TACACS+ |
Supports TACACS+ authorization using Pulse Policy Secure. Authentication is performed by the third-party authentication server. |
Provisioning only User-ID information to PAN firewall |
Provides an option to admin in Auth table mapping policy to push only IP-User mapping to Palo Alto Networks firewall. |
System Local user attribute support (Framed-IP-Address) |
Allows to define user Attributes for system local server and associate those attributes to user names, including Framed-IP address. Values of those attributes to be defined for each user name. |
Strong Hash |
Supports protecting passwords stored in local authentication server using strong hash. |
Release 9.1R3 |
|
VSYS Support in PAN |
Pulse Policy Secure supports provisioning user identity and resource access/IoT policies to multiple VSYS or specific VSYS (other than vsys1) on PAN firewall. |
IBM QRadar Integration |
Pulse Policy Secure along with IBM QRadar provides user access control based on threats/events received from IBM QRadar. |
Splunk Integration |
Splunk alert based integration supports sending alert information from Splunk to Pulse Policy Secure. PPS uses its existing functionality of admission control, L2/L3 enforcement and provides role based access control to secure the network. |
Fortinet Identity management using RADIUS accounting messages |
Pulse Policy Secure supports integration with FortiGate firewall using RADIUS accounting messages. |
Mysql support |
Pulse Policy Secure supports MYSQL as external Authentication server. |
Local user account import through CSV in System local DB |
Allows importing user accounts via CSV file in System local auth server. The local authentication server is an authentication database that is built in to PPS. |
SNMP Enforcement using ACL for 3Com, DELL |
SNMP ACL enforcement support is now expanded for 3Com and Dell switches. |
SNMP Enforcement using VLAN for 3Com, Juniper and DELL |
SNMP VLAN enforcement support is now expanded for 3Com, Juniper and Dell switches. |
One-to-One NAT support |
PPS allows auth table provisioning for the endpoints behind NAT (One-to One NAT mapping). |
vTM and PPS Integration for Load Balancing |
The Platform Limit, Maximum Licensed User Count and Cluster Name attribute values are available for optimal load balancing. |
Release 9.1R2 |
|
Alert based integration with Nozomi Networks |
PPS along with Nozomi Networks provides threat detection and threat response in ICS/OT environ-ment. |
Backup configs and archived logs on AWS S3/Azure Storage |
Two new methods of archiving the configurations and archived logs are available apart from SCP and FTP methods: PPS/PCS supports pushing configurations and archived logs to the S3 bucket in the Amazon AWS deployment and to the Azure storage in the Microsoft Azure deployment.
|
EasiSMS Gateway Support |
PPS supports EasiSMS gateway through the SMTP server. EasiSMS uses an email format to send SMS to end user mobile phones. |
Flag Duplicate Machine ID in access logs |
Pulse client expects the machine ID is unique on each machine. If multiple endpoints have the same machine ID, for security reasons, the existing sessions with the same machine id are closed. A new access log message is added to flag the detection of a duplicate Machine ID in the following format: Message: Duplicate machine ID "<Machine_ID>" detected. Ending user session from IP address <IP_address>. Refer document KB25581 for details. |
Migration of Cisco ACS RADIUS/TACACS+ client configuration to PPS |
Migrating RADIUS/TACACS+ client configuration configured on the Cisco ACS device. |
Report Max Used Licens-es to HLS|VLS |
The licensing client reports maximum used sessions count instead of the maximum leased licenses count. For MSP customers, this change helps in billing the tenants based on maximum sessions used. |
V3 to V4 Opswat SDK mi-gration |
PPS supports the migration of servers and clients to Opswat v4 to take advantage of latest updates. |
VA Partition |
PCS/PPS supports upgrading from PCS 8.2Rx/ PPS 5.3Rx to 9.1R2 for the following supported plat-forms: VMWare ESXi KVM Hyper-V When upgrading a VA-SPE running PCS 8.2R5.1/PPS 5.3Rx or below that was deployed with an OVF template to a higher version, the upgrade was failing. This feature solves the upgrade problem for VMWare, KVM and Hyper-V. Refer KB41049 for more details. |
Profiler |
|
Profiler dashboard update |
Profiler dashboard supports chart for Profile Groups. This chart is also part of downloaded PDF re-port. |
Windows defender and Microsoft Security Essen-tials support |
Agentless Host Checker with Profiler supports Windows defender and Microsoft Security Essentials. |
Release 9.1R1 |
|
DNS traffic on any physical interface |
Prior to 9.1R1 release, DNS traffic was sent over the Internal interface. Starting with 9.1R1 release, an administrator can modify the DNS setting to any physical interface namely Internal Port, External Port or Management Port. |
Google Auth Multi Factor Authentication |
TOTP server can be added as a secondary auth server in PPS. |
Machine certificate check on MacOS |
Machine certificate check on Mac OS is now supported for PPS. |
Meraki 802.1x and Guest Access support |
802.1X and Guest Access support is qualified with Cisco Meraki WLC. |
RADIUS server capability on External port |
802.1X authentication is now supported on external port. |
SAML Auth Server support |
PPS can be configured as SAML service provider (SP) for all industry standard SAML IdP's. |
Session bridging for Linux Platform |
PPS supports bridging the Layer 2 Native Supplicant 802.1X session with Layer3 Agentless (Browser based) Session on Linux platform. |
Session Migration using Cert authentication |
Session migration in an IF-MAP federated network supports Cert Auth and SAML auth |
SNMP Enforcement using ACL (Cisco, HP, Juniper) |
SNMP enforcement using ACL is supported for Cisco, Juniper and HP switches. |
TACACS+ Enhancements - DB sync, pass back attributes to devices such as F5 and Juniper |
TACACS+ authorization support for Administrators using custom attributes for Juniper and F5 devices. |
TACACS+ configuration synchronization across WAN cluster |
|
Profiler |
|
Distributed Profiler Enhancements |
The Administrators can sync the profiled data from one Profiler to another from the profiler auth server configuration page. Multiple branch offices can sync their profiled data to central office. Ad-min can view the Device Discovery Report to view and control the multiple offices. |
Profiler Device Age Out |
Profiler device age-out interval configuration allows admin to automatically delete the devices from the database. Admin can define the age-out interval for a group of devices also using Profile Groups |
Profile Windows devices using SNMP (HOST) |
SNMP-HOST Collector is a collection method that receives endpoint information where the end-points are monitored through SNMP. Admin can configure subnets to scan and community strings in profiler auth server configuration page. |
Approval for Profile Groups |
Administrator can select "needs approval" for selected Profiler group. |
Key-value based search in DDR |
Administrator can search in DDR with key value-based query. Query syntax is similar to that of pro-file groups. |
Publishing IP address from Profiler to Active User Session |
Admin can add IP address from Profiler to active session for L3 enforcement when RADIUS account-ing is not enabled. This is supported only for MAC auth and dot1X. |
Huawei switches added in supported list for Network Infrastructure Device |
Admin can select Huawei switch from supported list in network infrastructure device page. |