Focus

User-ID Changes in PAN-OS 8.1

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

GlobalProtect Changes in PAN-OS 8.1

Panorama Changes in PAN-OS 8.1

User-ID Changes in PAN-OS 8.1

In PAN-OS 8.1, usernames are now displayed in their original UPN format and a Primary Username is required. Some User Mapping and Group Mapping options have been moved.

PAN-OS 8.1 has the following change in default behavior for User-ID features:

Feature	Change
Support for Multiple Username Formats	Since multiple username attributes are supported, you must select the primary username attribute that you want to use. Previously, the firewall normalized usernames received from User-ID sources (such as an LDAP directory) to the domain\username format. In PAN-OS 8.1, when the Primary Username is in UPN format, it will not be normalized as in previous PAN-OS versions. As a result, usernames are displayed on the web interface in their original format (for example, username@domain). If you use a Certificate Profile for authentication and the username is Subject Alt, the firewall does not drop the domain name from the email or Principal Name. To support multiple username formats, some web interface options were moved (refer to the callouts in the following screenshots): (1) The DeviceUser IdentificationGroup Mapping SettingsServer ProfileUser ObjectsUser Name option has been moved to DeviceUser IdentificationGroup Mapping SettingsUser and Group AttributesUser Attributes. (3) The DeviceUser IdentificationGroup Mapping SettingsServer ProfileGroup ObjectsGroup Name and Group Member options have been moved to DeviceUser IdentificationGroup Mapping SettingsUser and Group AttributesGroup Attributes. (2) The Mail Domains section previously configured in DeviceUser IdentificationGroup Mapping SettingsServer Profile was moved to the User Attributes and Group Attributes settings in DeviceUser IdentificationGroup Mapping SettingsUser and Group Attributes. Previous Group Mapping Settings Current Group Mapping Settings

Feature

Change

Support for Multiple Username Formats

Since multiple username attributes are supported, you must select the primary username attribute that you want to use.
Previously, the firewall normalized usernames received from User-ID sources (such as an LDAP directory) to the domain\username format. In PAN-OS 8.1, when the Primary Username is in UPN format, it will not be normalized as in previous PAN-OS versions. As a result, usernames are displayed on the web interface in their original format (for example, username@domain).
If you use a Certificate Profile for authentication and the username is Subject Alt, the firewall does not drop the domain name from the email or Principal Name.
To support multiple username formats, some web interface options were moved (refer to the callouts in the following screenshots):
- (1) The DeviceUser IdentificationGroup Mapping SettingsServer ProfileUser ObjectsUser Name option has been moved to DeviceUser IdentificationGroup Mapping SettingsUser and Group AttributesUser Attributes.
- (3) The DeviceUser IdentificationGroup Mapping SettingsServer ProfileGroup ObjectsGroup Name and Group Member options have been moved to DeviceUser IdentificationGroup Mapping SettingsUser and Group AttributesGroup Attributes.
- (2) The Mail Domains section previously configured in DeviceUser IdentificationGroup Mapping SettingsServer Profile was moved to the User Attributes and Group Attributes settings in DeviceUser IdentificationGroup Mapping SettingsUser and Group Attributes.
  
  Previous Group Mapping Settings
  
  Current Group Mapping Settings

GlobalProtect Changes in PAN-OS 8.1

Panorama Changes in PAN-OS 8.1

Next-Generation Firewall Docs

User-ID Changes in PAN-OS 8.1

Next-Generation Firewall Docs

User-ID Changes in PAN-OS 8.1

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner