User-ID Changes in PAN-OS 8.1

In PAN-OS 8.1, usernames are now displayed in their original UPN format and a Primary Username is required. Some User Mapping and Group Mapping options have been moved.
PAN-OS 8.1 has the following change in default behavior for User-ID features:
FeatureChange
Support for Multiple Username Formats
  • Since multiple username attributes are supported, you must select the primary username attribute that you want to use.
  • Previously, the firewall normalized usernames received from User-ID sources (such as an LDAP directory) to the domain\username format. In PAN-OS 8.1, when the Primary Username is in UPN format, it will not be normalized as in previous PAN-OS versions. As a result, usernames are displayed on the web interface in their original format (for example, username@domain).
  • If you use a Certificate Profile for authentication and the username is Subject Alt, the firewall does not drop the domain name from the email or Principal Name.
  • To support multiple username formats, some web interface options were moved (refer to the callouts in the following screenshots):
    • (1) The DeviceUser IdentificationGroup Mapping SettingsServer ProfileUser ObjectsUser Name option has been moved to DeviceUser IdentificationGroup Mapping SettingsUser and Group AttributesUser Attributes.
    • (3) The DeviceUser IdentificationGroup Mapping SettingsServer ProfileGroup ObjectsGroup Name and Group Member options have been moved to DeviceUser IdentificationGroup Mapping SettingsUser and Group AttributesGroup Attributes.
    • (2) The Mail Domains section previously configured in DeviceUser IdentificationGroup Mapping SettingsServer Profile was moved to the User Attributes and Group Attributes settings in DeviceUser IdentificationGroup Mapping SettingsUser and Group Attributes.
      changes_group_mapping_old.png
      Previous Group Mapping Settings
      changes_group_mapping_group_name_new.png
      Current Group Mapping Settings

Related Documentation