Nipper 2.13 adds support for Cisco FirePOWER next-generation firewall (NGFW) and PAN-OS 10 devices
Date published: 07 Jun 2022
Continuing our tradition of enhancing accuracy and building on support with each new release, Nipper 2.13 offers enhanced device support. This update includes Palo Alto devices to cover PAN-OS 10, and Cisco devices to include FirePOWER devices, as well as performance improvements and more.
The latest release introduces support for Cisco FirePOWER next-generation firewall (NGFW) threat defense devices that are managed by a Cisco Firewall Management Centre (FMC). To audit a number of FirePOWER Threat Defense firewalls (FTDs) managed by a FMC, Nipper audits the FMC itself and uses the FMC's management API to retrieve the configurations of the managed devices. Nipper 2.13.0 provides parsing of the most security-critical sections of the FTD device configuration for Cisco FirePOWER next generation firewalls:
- Network Filtering
- Network Protocols and Interfaces
- Network Services Routing
- SNMP Settings
This does not cover Authentication, NTP (Date & Time), VPN remote access, Banners, Message logging, IPS (IDS), NatPat or DHCP / DNS. If these are features that you would like included for FirePOWER devices, please contact us.
The latest release has enhanced Nipper's Palo Alto Firewall plugin to support firewalls running PAN-OS 10. Palo Alto Firewalls running PAN-OS 10 can now be audited in Nipper in exactly the same way as for older PAN-OS versions. PAN-OS 10 configuration files will appear in Nipper as "Palo Alto Firewall", the same as for older versions. Note: Support for adding Panorama devices on PAN-OS 10 is not currently available. This will be implemented in a future release.
NIST 800-171 module: Risk ratings and a recommendations section have been added to Security Requirement 3.1.9 in the NIST 800-171 report.
SNMP v3 Security Checks: A number of checks have been added to the Security Audit to diagnose vulnerabilities related to SNMP v3. The Security Audit will now report the following new security risks:
- SNMP v3 users configured with no authentication or privacy (NSA-SNMP-014)
- SNMP v3 user configured with no privacy (NSA-SNMP-015)
- Weak SNMP v3 user authentication hashing algorithm configured (NSA-SNMP-021)
- Weak SNMP v3 user privacy encryption algorithm configured (NSA-SNMP-0)
Speed-up in Filtering Complexity analysis: the Filtering Complexity report has been given an overhaul to improve its performance. The report's processing of the filter rules in a device configuration has been made approximately 50 times faster, offering an immense saving of time to users who are running the report against configurations with a large number of filter rules.
As with each new release, we have updated the vulnerabilities our software detects from the National Vulnerability Database (NVDs) and the PSIRT resources for Cisco devices.
For more information about what’s included in this release, please see the full release notes in the Support area of this site.
How to access the latest version of Nipper
For current customers, you can access the latest version by launching Nipper and following the prompts on the launch screen to update to version 2.13.0. Or you can visit the download area of your account on our website and access the latest version from there.
See it in action
If you’re not a customer and would like to see the latest version of Nipper in action request a trial today: