New Device Support

Cisco FirePOWER via FMC

The latest release of Nipper contains support for Cisco FirePOWER devices that are managed by a Cisco Firewall Management Centre (FMC) in the following configuration sections -

  • Administration Settings
  • Network Filtering
  • Network Protocols and Interfaces
  • Network Services
  • Routing
  • Simple Network Management Protocol Settings (SNMP)

PanOS 10

The latest release of Nipper also contains support for PanOS 10 devices across all configuration sections -

  • Network Services
  • Authentication Settings
  • Administration Settings
  • Logon Banner Messages
  • SNMP Settings
  • Message Logging
  • Name Resolution Settings
  • Dynamic Host Configuration Protocol (DHCP) Settings
  • Network Protocols
  • Routing
  • Network Filtering
  • Remote Access Settings
  • Time and Date Settings

A new remote connection method "10 (PANO-OS API)" has been added under "Palo Alto Firewall". This allows Nipper to perform remote connections to your PanOS 10 device and retrieve all the configuration information needed to produce accurate reports.

Enhanced Device Support

Cisco ASA

  • Fixed an issue causing a serious error when passive interfaces were default.

Cisco IOS

  • Routers Fixed an issue causing Nipper to not correctly report where default passwords were used.

Cisco IOS XE

  • Switches Virtual Router Redundancy Protocol (VRRP) V3 configuration settings will now be reported on.

Cisco XR

  • Fixed an issue causing Cisco Type 7 passwords to not be correctly decrypted in the report.

FortiOS 6

  • Fixed an issue causing Nipper to not recognize the use of default Community strings.
  • Fixed an issue causing Nipper to only display the first configured SNMPv3 user.
  • Fixed an issue causing Nipper to not correctly report on wireless interfaces.
  • Fixed an issue causing Nipper to not correctly report on interfaces configured with filtering.

PanOS

  • HTTP and HTTPS is now reported as being enabled by default.
  • Fixed an issue causing Address Objects configured on a filter rule destination to not appear correctly in the report
  • Fixed an issue causing source and destinations on filter rules not being correctly treated as "any" rules when configured as such

PanOS 9

  • Fixed an issue causing source/ destination ports on filter rules to report as "any" when configured with a service

Risk and recommendation information in NIST 800-171

  • Risk ratings and a recommendations section have been added to Security Requirement 3.1.9 in the NIST 800-171 report.

Bug Fixes

  • Made improvements to the logic for matching a configured Blacklist of hosts for NSA-FLTR-009
  • Fixed an issue causing XML saves to fail due to a duplicate heading
  • Fixed an issue causing Security Audit findings' tables to not be written to JSON logs
  • Fixed an issue causing Nipper to incorrectly report overlapping rules in the Filtering Complexity report
  • Fixed an issue causing NSA-SNMP-005 to report the wrong community with dictionary based traps
  • Fixed an issue when causing the audit to continue when cancelling from the License Usage dialog
  • Fixed an issue causing the Raw Change Tracking report to be removed when regenerating a report
  • Fixed an issue causing the global CVSSv2 Environmental Metric settings to not effect the Vulnerability report
  • Fixed an issue causing the first Security Audit finding to not be included in non-streamed JSON logs
  • Fixed an issue causing filter rules with HIP Profiles configured to not appear correctly in the report
  • Fixed an outdated link in the license agreement
  • Improved the speed of Filtering Complexity report generation for devices with large numbers of rules