Palo Alto improvements for versions up to and including PAN-OS® 9.1

All the following improvements/enhancements will be visible within the configuration report and in turn, directly affect Nipper’s other report types when auditing a Palo Alto device up to and including version 9.1.

General Improvements

The following issues when parsing the configuration have been identified and improved upon:

  • BGP Routing
  • Server Profiles

Minor issues and improvements have been identified within the Network Objects and improvements have been made.

Added Support

Each of the following features represents an improvement or the creation of the capability of Nipper to report against the specified item in the device, these include:

  • Basic Information
  • Network Services
  • General Configuration Information
  • Authentication
  • Password Profiles
  • Administration
  • Logon Banner Message
  • Simple Network Management Protocol (SNMP) Settings
  • Message Logging
  • Name Resolution Settings
  • Dynamic Host Configuration Protocol (DHCP) Settings
  • Network Protocols
  • Network Interfaces
  • Network Address Translation (NAT)/Port Address Translation (PAT) Configuration
  • Routing Configuration
  • Network Filtering
  • Intrusion Protection System (IPS) Settings
  • Time and Date
  • Virtual Systems (VSys)
  • Remote Access (VPN Settings)

The benefit for these features includes:

  1. The Configuration report will include the detail of each of these device functions and capabilities meaning that Nipper’s report will be richer.
  2. The Security, STIG and other reports will include findings relating to the features, increasing the Titania coverage of the device features.
  3. The increased coverage of the features and the analysis delivers a more detailed and accurate security report for Palo Alto devices running on PAN-OS 9 and 9.1 ensuring a more complete security posture picture.
  4. Support for PAN-OS 9.1, the version that is used most in deployment.

To further improve Nipper’s accuracy and stability, we have implemented fixes for the following issues:

  • Fixed an issue in the Filtering Differences report when auditing SonicWALL devices where some rules' labels were missing, and some rules were being duplicated.
  • Fixed a dependency issue causing installation of Nipper on CentOS to present an error stating "libtitania-classes.so cannot be found".
Miscellaneous Nipper -> Palo Alto Enhancements

A REST API connector has been implemented to allow for a more robust method of connection between Nipper and Palo Alto devices running on PAN-OS 8 and above. This will allow for full version parsing, meaning that better and more accurate reporting will be available.