Focus

User-ID Changes in PAN-OS 8.1

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 9.1
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1

GlobalProtect Changes in PAN-OS 8.1

Panorama Changes in PAN-OS 8.1

User-ID Changes in PAN-OS 8.1

In PAN-OS 8.1, usernames are now displayed in their original UPN format and a Primary Username is required. Some User Mapping and Group Mapping options have been moved.

PAN-OS 8.1 has the following change in default behavior for User-ID features:

Feature	Change
Support for Multiple Username Formats	Since multiple username attributes are supported, you must select the primary username attribute that you want to use . Previously, the firewall normalized usernames received from User-ID sources (such as an LDAP directory) to the domain\username format. In PAN-OS 8.1, when the Primary Username is in UPN format, it will not be normalized as in previous PAN-OS versions. As a result, usernames are displayed on the web interface in their original format (for example, username@domain ). If you use a Certificate Profile for authentication and the username is Subject Alt, the firewall does not drop the domain name from the email or Principal Name. To support multiple username formats, some web interface options were moved (refer to the callouts in the following screenshots): (1) The Device User Identification Group Mapping Settings Server Profile User Objects User Name option has been moved to Device User Identification Group Mapping Settings User and Group Attributes User Attributes . (3) The Device User Identification Group Mapping Settings Server Profile Group Objects Group Name and Group Member options have been moved to Device User Identification Group Mapping Settings User and Group Attributes Group Attributes . (2) The Mail Domains section previously configured in Device User Identification Group Mapping Settings Server Profile was moved to the User Attributes and Group Attributes settings in Device User Identification Group Mapping Settings User and Group Attributes . Previous Group Mapping Settings Current Group Mapping Settings

Feature

Change

Support for Multiple Username Formats

Since multiple username attributes are supported, you must select the primary username attribute that you want to use

Previously, the firewall normalized usernames received from User-ID sources (such as an LDAP directory) to the

domain\username

format. In PAN-OS 8.1, when the

Primary Username

is in UPN format, it will not be normalized as in previous PAN-OS versions. As a result, usernames are displayed on the web interface in their original format (for example,

username@domain

If you use a Certificate Profile for authentication and the username is Subject Alt, the firewall does not drop the domain name from the email or Principal Name.

To support multiple username formats, some web interface options were moved (refer to the callouts in the following screenshots):

(1) The

Device

User Identification

Group Mapping Settings

Server Profile

User Objects

User Name

option has been moved to

Device

User Identification

Group Mapping Settings

User and Group Attributes

User Attributes

(3) The

Device

User Identification

Group Mapping Settings

Server Profile

Group Objects

Group Name

and

Group Member

options have been moved to

Device

User Identification

Group Mapping Settings

User and Group Attributes

Group Attributes

(2) The Mail Domains section previously configured in

Device

User Identification

Group Mapping Settings

Server Profile

was moved to the User Attributes and Group Attributes settings in

Device

User Identification

Group Mapping Settings

User and Group Attributes

Previous Group Mapping Settings

Current Group Mapping Settings

GlobalProtect Changes in PAN-OS 8.1

Panorama Changes in PAN-OS 8.1

Next-Generation Firewall Docs

User-ID Changes in PAN-OS 8.1

Next-Generation Firewall Docs

User-ID Changes in PAN-OS 8.1

Recommended For You

Activation and Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner